danabot | 4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e

General

Target

4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe
Size

1.8MB
MD5

9e09129d4f165dc596609b1e5f327b81
SHA1

45f7c2d3226b125830a1d90eb97e9f1e880db5e1
SHA256

4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e
SHA512

a5ba6179e3611c87cf5560eebb30451408f80828cb75bb96ae02d8f7ae9945429bc482e10932d1bc017617afce741d0d4fb7b3ebb7bacf24d92bce237e2532fc

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL	DanabotLoader2021
behavioral1/memory/1516-122-0x0000000004420000-0x000000000469C000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1516 rundll32.exe
1516 rundll32.exe

pid	process
1516	rundll32.exe
1516	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe

description	pid	process	target process
PID 3168 wrote to memory of 1516	3168	4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe	rundll32.exe
PID 3168 wrote to memory of 1516	3168	4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe	rundll32.exe
PID 3168 wrote to memory of 1516	3168	4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe
"C:\Users\Admin\AppData\Local\Temp\4b2cefcef595a9d7d95a5df2628bec64f36a1bb7a4d02dd7f1df5c17e4aa731e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL,s C:\Users\Admin\AppData\Local\Temp\4B2CEF~1.EXE
2⤵
- Loads dropped DLL
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL
MD5
64452783daf6f2a8ca9215f6e3ebf4d6

SHA1
c297092e2cf1a57ea369f944785d34ad65d07afa

SHA256
6f89a6c97b4135cbb8586212803a8e9de6bb670ba140e0295f8bb0798eaa7edf

SHA512
4e2a604153fad75d1d4295e650082c2099f4a2950ead8c696f894abb2c84945d7abf9b02eb1dafe1f71c9a1c8579126f9d3af9ebc375ddcbec931a519e0ebda5

Download Submit
\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL
MD5
64452783daf6f2a8ca9215f6e3ebf4d6

SHA1
c297092e2cf1a57ea369f944785d34ad65d07afa

SHA256
6f89a6c97b4135cbb8586212803a8e9de6bb670ba140e0295f8bb0798eaa7edf

SHA512
4e2a604153fad75d1d4295e650082c2099f4a2950ead8c696f894abb2c84945d7abf9b02eb1dafe1f71c9a1c8579126f9d3af9ebc375ddcbec931a519e0ebda5

Download Submit
\Users\Admin\AppData\Local\Temp\4B2CEF~1.DLL
MD5
64452783daf6f2a8ca9215f6e3ebf4d6

SHA1
c297092e2cf1a57ea369f944785d34ad65d07afa

SHA256
6f89a6c97b4135cbb8586212803a8e9de6bb670ba140e0295f8bb0798eaa7edf

SHA512
4e2a604153fad75d1d4295e650082c2099f4a2950ead8c696f894abb2c84945d7abf9b02eb1dafe1f71c9a1c8579126f9d3af9ebc375ddcbec931a519e0ebda5

Download Submit
memory/1516-118-0x0000000000000000-mapping.dmp

Download
memory/1516-122-0x0000000004420000-0x000000000469C000-memory.dmp

Filesize
2.5MB

Download
memory/3168-115-0x0000000004A70000-0x0000000004BFF000-memory.dmp

Filesize
1.6MB

Download
memory/3168-116-0x0000000004DB0000-0x0000000004F56000-memory.dmp

Filesize
1.6MB

Download
memory/3168-117-0x0000000000400000-0x0000000002CFF000-memory.dmp

Filesize
41.0MB

Download

Analysis

Sharing