danabot | 9a8418ab244c91ab1447181ca5544cc1202c1e5aee5549e0e9908ac5080ed3a6

General

Target

7d73bbc0c762f65500d81187cabb075d.exe
Size

1.1MB
MD5

7d73bbc0c762f65500d81187cabb075d
SHA1

e8a1f531e3ad3a1ee0fecccf34d0f23b6f452a53
SHA256

9a8418ab244c91ab1447181ca5544cc1202c1e5aee5549e0e9908ac5080ed3a6
SHA512

83455a8f8dbcfb90bcd7a4538dbc89d799710489e21d17cda7a2cdebbcc6679ae2e027835aa4c20de63c75451af37c3ebb614d6217dc81fe10db0055dfb9ec57

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes

embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

760 rundll32.exe
760 rundll32.exe
760 rundll32.exe
760 rundll32.exe

pid	process
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7d73bbc0c762f65500d81187cabb075d.exe

description	pid	process	target process
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe
PID 1884 wrote to memory of 760	1884	7d73bbc0c762f65500d81187cabb075d.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe
"C:\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll,z C:\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe
2⤵
- Loads dropped DLL
PID:760

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll
MD5
d9df2c18d63e6171decc3e3bac29a1aa

SHA1
76d08651496ca262173fd7592173d01d096d0620

SHA256
45b88ddbd981ab5de6a58efd0e4ac0ab1cc05da2e4ffa1aac9caf2e875c5f705

SHA512
63e889e98566f8dd024860ea5a5e6629235d5eb9b94955b2978a819dd949a23d4c8ba66bdbb048bf3c5b7d8e0ff478318850b8f1736da3aca72afc8208742801

Download Submit
\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll
MD5
d9df2c18d63e6171decc3e3bac29a1aa

SHA1
76d08651496ca262173fd7592173d01d096d0620

SHA256
45b88ddbd981ab5de6a58efd0e4ac0ab1cc05da2e4ffa1aac9caf2e875c5f705

SHA512
63e889e98566f8dd024860ea5a5e6629235d5eb9b94955b2978a819dd949a23d4c8ba66bdbb048bf3c5b7d8e0ff478318850b8f1736da3aca72afc8208742801

Download Submit
\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll
MD5
d9df2c18d63e6171decc3e3bac29a1aa

SHA1
76d08651496ca262173fd7592173d01d096d0620

SHA256
45b88ddbd981ab5de6a58efd0e4ac0ab1cc05da2e4ffa1aac9caf2e875c5f705

SHA512
63e889e98566f8dd024860ea5a5e6629235d5eb9b94955b2978a819dd949a23d4c8ba66bdbb048bf3c5b7d8e0ff478318850b8f1736da3aca72afc8208742801

Download Submit
\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll
MD5
d9df2c18d63e6171decc3e3bac29a1aa

SHA1
76d08651496ca262173fd7592173d01d096d0620

SHA256
45b88ddbd981ab5de6a58efd0e4ac0ab1cc05da2e4ffa1aac9caf2e875c5f705

SHA512
63e889e98566f8dd024860ea5a5e6629235d5eb9b94955b2978a819dd949a23d4c8ba66bdbb048bf3c5b7d8e0ff478318850b8f1736da3aca72afc8208742801

Download Submit
\Users\Admin\AppData\Local\Temp\7d73bbc0c762f65500d81187cabb075d.exe.dll
MD5
d9df2c18d63e6171decc3e3bac29a1aa

SHA1
76d08651496ca262173fd7592173d01d096d0620

SHA256
45b88ddbd981ab5de6a58efd0e4ac0ab1cc05da2e4ffa1aac9caf2e875c5f705

SHA512
63e889e98566f8dd024860ea5a5e6629235d5eb9b94955b2978a819dd949a23d4c8ba66bdbb048bf3c5b7d8e0ff478318850b8f1736da3aca72afc8208742801

Download Submit
memory/760-57-0x0000000000000000-mapping.dmp

Download
memory/760-64-0x0000000001F00000-0x000000000204E000-memory.dmp

Filesize
1.3MB

Download
memory/1884-53-0x0000000000540000-0x0000000000623000-memory.dmp

Filesize
908KB

Download
memory/1884-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1884-56-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/1884-55-0x0000000000700000-0x00000000007FA000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing