danabot | b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea

General

Target

b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe
Size

1.8MB
MD5

5ced47bbe0966d0c64448f66f625d65d
SHA1

be4e0862fe91cccdcf09f61a174ad3cd84e04fb3
SHA256

b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea
SHA512

f350ab662b9626a47dce17049bddd4eda76389f68a8dae868484058d4588c5689291bccd3fb28a311d68165bbf9a1f958ed03a29bec10d7a459f86db637f7480

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL	DanabotLoader2021
behavioral1/memory/1512-122-0x0000000004290000-0x000000000450C000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe
1512 rundll32.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe

description	pid	process	target process
PID 2140 wrote to memory of 1512	2140	b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe	rundll32.exe
PID 2140 wrote to memory of 1512	2140	b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe	rundll32.exe
PID 2140 wrote to memory of 1512	2140	b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe
"C:\Users\Admin\AppData\Local\Temp\b4fa02aa0ae575d9e0896f7929a0a7884497ff49608e56500f55ac178fd61fea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL,s C:\Users\Admin\AppData\Local\Temp\B4FA02~1.EXE
2⤵
- Loads dropped DLL
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL
MD5
0b6c79f6b4779b40eeef3b2dad895a34

SHA1
4632b2854983001119f171b4f10395ec617f8c1e

SHA256
9d5b679a56f67691ff5f35f82162ee09689954ca7af780fb8d60474639f9c9e2

SHA512
7a1e78a766daf5383a1c753c4b1fee2772fedffcb2d50262783c00d42f1374a520368f677b95500c328e874ca166bbbb07403867ef0cd1d244552dfe50541a7a

Download Submit
\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL
MD5
0b6c79f6b4779b40eeef3b2dad895a34

SHA1
4632b2854983001119f171b4f10395ec617f8c1e

SHA256
9d5b679a56f67691ff5f35f82162ee09689954ca7af780fb8d60474639f9c9e2

SHA512
7a1e78a766daf5383a1c753c4b1fee2772fedffcb2d50262783c00d42f1374a520368f677b95500c328e874ca166bbbb07403867ef0cd1d244552dfe50541a7a

Download Submit
\Users\Admin\AppData\Local\Temp\B4FA02~1.DLL
MD5
0b6c79f6b4779b40eeef3b2dad895a34

SHA1
4632b2854983001119f171b4f10395ec617f8c1e

SHA256
9d5b679a56f67691ff5f35f82162ee09689954ca7af780fb8d60474639f9c9e2

SHA512
7a1e78a766daf5383a1c753c4b1fee2772fedffcb2d50262783c00d42f1374a520368f677b95500c328e874ca166bbbb07403867ef0cd1d244552dfe50541a7a

Download Submit
memory/1512-118-0x0000000000000000-mapping.dmp

Download
memory/1512-122-0x0000000004290000-0x000000000450C000-memory.dmp

Filesize
2.5MB

Download
memory/2140-116-0x0000000004CC0000-0x0000000004E66000-memory.dmp

Filesize
1.6MB

Download
memory/2140-115-0x0000000004B30000-0x0000000004CBF000-memory.dmp

Filesize
1.6MB

Download
memory/2140-117-0x0000000000400000-0x0000000002CF8000-memory.dmp

Filesize
41.0MB

Download

Analysis

Sharing