danabot | 871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7

General

Target

871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe
Size

1.1MB
MD5

f95afc4f4d4dd6e17ac7aab68b78fa25
SHA1

3c0e26fdeceea3ab875142f9b51f4ac40cdd3f28
SHA256

871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7
SHA512

e48e6029d3faf6a95f338561d9b33e1ae3fb64a74eb28d7dac89c7644a2fb559a454edd513a333c479731af42757c11fde3c897930c9f903d73fedb17d234bae

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes

embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4392 rundll32.exe
4392 rundll32.exe

pid	process
4392	rundll32.exe
4392	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe

description	pid	process	target process
PID 3376 wrote to memory of 4392	3376	871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe	rundll32.exe
PID 3376 wrote to memory of 4392	3376	871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe	rundll32.exe
PID 3376 wrote to memory of 4392	3376	871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe
"C:\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe.dll,z C:\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe
2⤵
- Loads dropped DLL
PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe.dll
MD5
aa64e4598a59b1ec267d3afa414b42fc

SHA1
117e784f9c6c1c71dd301af28e3eaf606e0097db

SHA256
32b466164f9a85f4b4c6fd1bcf664bebfffd171763a6978d9ead3c933b9c82dc

SHA512
439e3ad68fb46f47021517192e479d486e7363533498189c9c9243b38b0662f71d44c46d8424629cfa95636172f6e8b1b077bb49d31378af6b80c7c7770852b5

Download Submit
\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe.dll
MD5
aa64e4598a59b1ec267d3afa414b42fc

SHA1
117e784f9c6c1c71dd301af28e3eaf606e0097db

SHA256
32b466164f9a85f4b4c6fd1bcf664bebfffd171763a6978d9ead3c933b9c82dc

SHA512
439e3ad68fb46f47021517192e479d486e7363533498189c9c9243b38b0662f71d44c46d8424629cfa95636172f6e8b1b077bb49d31378af6b80c7c7770852b5

Download Submit
\Users\Admin\AppData\Local\Temp\871ade5fb9590ba6ed569d6198accc5f063d59956ed9b27357b01f708eee9be7.exe.dll
MD5
aa64e4598a59b1ec267d3afa414b42fc

SHA1
117e784f9c6c1c71dd301af28e3eaf606e0097db

SHA256
32b466164f9a85f4b4c6fd1bcf664bebfffd171763a6978d9ead3c933b9c82dc

SHA512
439e3ad68fb46f47021517192e479d486e7363533498189c9c9243b38b0662f71d44c46d8424629cfa95636172f6e8b1b077bb49d31378af6b80c7c7770852b5

Download Submit
memory/3376-115-0x00000000007A9000-0x000000000088C000-memory.dmp

Filesize
908KB

Download
memory/3376-116-0x0000000000940000-0x0000000000A3A000-memory.dmp

Filesize
1000KB

Download
memory/3376-117-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4392-118-0x0000000000000000-mapping.dmp

Download
memory/4392-122-0x0000000000A80000-0x0000000000BCE000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing