danabot | f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9

General

Target

f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe
Size

1.1MB
MD5

41d64125e3e8cf8ed38a35652e279390
SHA1

d01ad1e4b5435b2ff6be6831faf95bb04aa4058d
SHA256

f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9
SHA512

90985d858e8da45303c4ef28997dbd4c47d7ea45ad39437578025df48214b27aedb5a406555c89ba3ad9de9ccbb053b9796ae0b3998ccb9ddb72182ff7347cdb

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes

embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3240 rundll32.exe
3240 rundll32.exe

pid	process
3240	rundll32.exe
3240	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe

description	pid	process	target process
PID 2708 wrote to memory of 3240	2708	f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe	rundll32.exe
PID 2708 wrote to memory of 3240	2708	f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe	rundll32.exe
PID 2708 wrote to memory of 3240	2708	f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe
"C:\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe.dll,z C:\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe
2⤵
- Loads dropped DLL
PID:3240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe.dll
MD5
0787dc3eede1a5ed7cebdd2e3f2a3ace

SHA1
17184e53f74749a1217d29f7a4711e13dfeadd0b

SHA256
a1d0accaa7a94b32a4847bdd80a9ae96905b96bfbb894163470425b831949b64

SHA512
491b3435ccd6e2392335e57892d6467f3cd6831c801e552d38985e709ad06091fac3a3580ba5b83d861081b853eccafa24f4bd89be214429125cbd5fc14d9da0

Download Submit
\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe.dll
MD5
0787dc3eede1a5ed7cebdd2e3f2a3ace

SHA1
17184e53f74749a1217d29f7a4711e13dfeadd0b

SHA256
a1d0accaa7a94b32a4847bdd80a9ae96905b96bfbb894163470425b831949b64

SHA512
491b3435ccd6e2392335e57892d6467f3cd6831c801e552d38985e709ad06091fac3a3580ba5b83d861081b853eccafa24f4bd89be214429125cbd5fc14d9da0

Download Submit
\Users\Admin\AppData\Local\Temp\f1e6a7f3c522f5df0728be7a6e1a04ed52235cafb366db8a139f513742b1dbd9.exe.dll
MD5
0787dc3eede1a5ed7cebdd2e3f2a3ace

SHA1
17184e53f74749a1217d29f7a4711e13dfeadd0b

SHA256
a1d0accaa7a94b32a4847bdd80a9ae96905b96bfbb894163470425b831949b64

SHA512
491b3435ccd6e2392335e57892d6467f3cd6831c801e552d38985e709ad06091fac3a3580ba5b83d861081b853eccafa24f4bd89be214429125cbd5fc14d9da0

Download Submit
memory/2708-114-0x00000000007D2000-0x00000000008B5000-memory.dmp

Filesize
908KB

Download
memory/2708-115-0x0000000000920000-0x0000000000A1A000-memory.dmp

Filesize
1000KB

Download
memory/2708-116-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/3240-117-0x0000000000000000-mapping.dmp

Download
memory/3240-121-0x0000000000CA0000-0x0000000000DEE000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing