danabot | cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b

General

Target

cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe
Size

1.1MB
MD5

c5fa3f6f58f272f0e33f3d5bd061290e
SHA1

b4400c24f79d7214293393339e0585ea3ed479f6
SHA256

cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b
SHA512

0511ba58e3b025012eaff66c868713af8d4cb04194e4c6e7426b1b45e8ca09ac061bdb67cb074ad3eb9ed0fc4fbbaa49b7186e93b5306503fbdbf9634d6e48a8

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes

embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4340 rundll32.exe
4340 rundll32.exe

pid	process
4340	rundll32.exe
4340	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe

description	pid	process	target process
PID 3328 wrote to memory of 4340	3328	cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe	rundll32.exe
PID 3328 wrote to memory of 4340	3328	cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe	rundll32.exe
PID 3328 wrote to memory of 4340	3328	cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe
"C:\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe.dll,z C:\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe
2⤵
- Loads dropped DLL
PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe.dll
MD5
f2ec2bb0a07f3e0648c72368dcb72a77

SHA1
8ed9885070053ceda8a7d5661264fa9c932ceda0

SHA256
9eedb742cf2dbe71f3bb9c5ffb48a953e2a2823f43fa1c568193d38c3b1b557d

SHA512
4bdd605ff16a93e2aa048047e8462b54f03d82ab9e20ae1e1babeb707b1e34dd84f5c7de7dc53b44d46c781747013d5492584c4b58e7acffab4d2798b9ec979d

Download Submit
\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe.dll
MD5
f2ec2bb0a07f3e0648c72368dcb72a77

SHA1
8ed9885070053ceda8a7d5661264fa9c932ceda0

SHA256
9eedb742cf2dbe71f3bb9c5ffb48a953e2a2823f43fa1c568193d38c3b1b557d

SHA512
4bdd605ff16a93e2aa048047e8462b54f03d82ab9e20ae1e1babeb707b1e34dd84f5c7de7dc53b44d46c781747013d5492584c4b58e7acffab4d2798b9ec979d

Download Submit
\Users\Admin\AppData\Local\Temp\cf4f27cdfaa338ca20522104b606e424e9cca6895403cf973fbc814966bfe61b.exe.dll
MD5
f2ec2bb0a07f3e0648c72368dcb72a77

SHA1
8ed9885070053ceda8a7d5661264fa9c932ceda0

SHA256
9eedb742cf2dbe71f3bb9c5ffb48a953e2a2823f43fa1c568193d38c3b1b557d

SHA512
4bdd605ff16a93e2aa048047e8462b54f03d82ab9e20ae1e1babeb707b1e34dd84f5c7de7dc53b44d46c781747013d5492584c4b58e7acffab4d2798b9ec979d

Download Submit
memory/3328-115-0x000000000086A000-0x000000000094D000-memory.dmp

Filesize
908KB

Download
memory/3328-116-0x0000000000950000-0x0000000000A4A000-memory.dmp

Filesize
1000KB

Download
memory/3328-117-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/4340-118-0x0000000000000000-mapping.dmp

Download
memory/4340-122-0x00000000041F0000-0x000000000433E000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing