2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38

General
Target

2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe

Filesize

1MB

Completed

08-01-2022 22:02

Score
10/10
MD5

d6e4029b2351270c7be7db05bcf21955

SHA1

118f997dacf4f9dc9caccde527a0fa32341c5377

SHA256

2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38

Malware Config

Extracted

Family danabot
Botnet 4
C2

192.119.110.4:443

103.175.16.113:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 4

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000600000001ab3f-119.datDanabotLoader2021
    behavioral1/files/0x000600000001ab3f-120.datDanabotLoader2021
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1460rundll32.exe
  • Suspicious use of WriteProcessMemory
    2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2620 wrote to memory of 146026202eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exerundll32.exe
    PID 2620 wrote to memory of 146026202eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exerundll32.exe
    PID 2620 wrote to memory of 146026202eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe
    "C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe"
    Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll,z C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe
      Loads dropped DLL
      PID:1460
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll

                            MD5

                            cda6689c757127c139b96f66c7e3a095

                            SHA1

                            c74e6180a9682d09bed5ce68df60e5472e618ec1

                            SHA256

                            58842b78cec2279f832832408a536105a2ade3075c39960165671927c0bc4290

                            SHA512

                            288ab421787cf7b38dc2acc21e93337ac4fe8605a78d39523b680bda663ba53df416bdbc0cf01de7372fe74f2a7f08aa61e4ed0ad93a02a08e0a2df533407c7f

                          • \Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll

                            MD5

                            cda6689c757127c139b96f66c7e3a095

                            SHA1

                            c74e6180a9682d09bed5ce68df60e5472e618ec1

                            SHA256

                            58842b78cec2279f832832408a536105a2ade3075c39960165671927c0bc4290

                            SHA512

                            288ab421787cf7b38dc2acc21e93337ac4fe8605a78d39523b680bda663ba53df416bdbc0cf01de7372fe74f2a7f08aa61e4ed0ad93a02a08e0a2df533407c7f

                          • memory/1460-118-0x0000000000000000-mapping.dmp

                          • memory/2620-116-0x0000000004A90000-0x0000000004B8C000-memory.dmp

                          • memory/2620-115-0x00000000049A0000-0x0000000004A85000-memory.dmp

                          • memory/2620-117-0x0000000000400000-0x0000000002C56000-memory.dmp