danabot | 156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4

Analysis

Target

156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe
Size

1.8MB
MD5

26ed7b993b5e713d53bdf1c4dd4078a4
SHA1

fc122ebe47d1a99eedb42eb2f9ca50d1df2f23b8
SHA256

156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4
SHA512

5990454a3f25d8cf8e29a08541863ddbeed4bfccee17baf67dbabb91de66b02ec4d2efa3cd113877e0c9023182952e5354993fc5f2d4abeea40536e4f7eae5e2

Score

10^/10

Family

danabot

Botnet

142.11.244.223:443

192.236.194.72:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\156AA6~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\156AA6~1.DLL	DanabotLoader2021

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4324 rundll32.exe

pid	process
4324	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe

description	pid	process	target process
PID 3408 wrote to memory of 4324	3408	156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe	rundll32.exe
PID 3408 wrote to memory of 4324	3408	156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe	rundll32.exe
PID 3408 wrote to memory of 4324	3408	156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe
"C:\Users\Admin\AppData\Local\Temp\156aa651b485fda0e803fec33784f8517b59601e26319a756061ed3dea4b01b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156AA6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\156AA6~1.EXE
2⤵
- Loads dropped DLL
PID:4324

C:\Users\Admin\AppData\Local\Temp\156AA6~1.DLL
MD5
67581930fc5c24b214a19dee07250dc3

SHA1
7e077313e552e7add3e014546b431115d7f2e129

SHA256
b427dc720b4699ed662aba7e48840282727b0410f6b9b7f60510697bc2b6175c

SHA512
c9e7be096746465bfb7429d72b583ce45bb880b02ea752a13c459972cc1e70344e6a073d50ce75522456506a63edbc8ad8b0d761b583a35a7de032a05471f5f8

Download Submit
\Users\Admin\AppData\Local\Temp\156AA6~1.DLL
MD5
67581930fc5c24b214a19dee07250dc3

SHA1
7e077313e552e7add3e014546b431115d7f2e129

SHA256
b427dc720b4699ed662aba7e48840282727b0410f6b9b7f60510697bc2b6175c

SHA512
c9e7be096746465bfb7429d72b583ce45bb880b02ea752a13c459972cc1e70344e6a073d50ce75522456506a63edbc8ad8b0d761b583a35a7de032a05471f5f8

Download Submit
memory/3408-116-0x0000000000400000-0x0000000002CF8000-memory.dmp

Filesize
41.0MB

Download
memory/3408-115-0x0000000004D30000-0x0000000004EBF000-memory.dmp

Filesize
1.6MB

Download
memory/3408-117-0x0000000004EC0000-0x0000000005066000-memory.dmp

Filesize
1.6MB

Download
memory/4324-118-0x0000000000000000-mapping.dmp

Download