danabot | 2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38

Analysis

Target

2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe
Size

1.1MB
MD5

d6e4029b2351270c7be7db05bcf21955
SHA1

118f997dacf4f9dc9caccde527a0fa32341c5377
SHA256

2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38
SHA512

9682264c2d18edd44742a4ad666e7a651d6008ed27e576b71b23891154859f0abe19bceb4e7b5401e18b3d216fbce5391aef89ff3f0a7c0cef5559de38d7eb23

Score

10^/10

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll	DanabotLoader2021

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1460 rundll32.exe

pid	process
1460	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe

description	pid	process	target process
PID 2620 wrote to memory of 1460	2620	2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe	rundll32.exe
PID 2620 wrote to memory of 1460	2620	2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe	rundll32.exe
PID 2620 wrote to memory of 1460	2620	2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe
"C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll,z C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe
2⤵
- Loads dropped DLL
PID:1460

C:\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll
MD5
cda6689c757127c139b96f66c7e3a095

SHA1
c74e6180a9682d09bed5ce68df60e5472e618ec1

SHA256
58842b78cec2279f832832408a536105a2ade3075c39960165671927c0bc4290

SHA512
288ab421787cf7b38dc2acc21e93337ac4fe8605a78d39523b680bda663ba53df416bdbc0cf01de7372fe74f2a7f08aa61e4ed0ad93a02a08e0a2df533407c7f

Download Submit
\Users\Admin\AppData\Local\Temp\2eb94760ca00f5c09688858b396f344d6b54abc561ff944102bc00cd12f86c38.exe.dll
MD5
cda6689c757127c139b96f66c7e3a095

SHA1
c74e6180a9682d09bed5ce68df60e5472e618ec1

SHA256
58842b78cec2279f832832408a536105a2ade3075c39960165671927c0bc4290

SHA512
288ab421787cf7b38dc2acc21e93337ac4fe8605a78d39523b680bda663ba53df416bdbc0cf01de7372fe74f2a7f08aa61e4ed0ad93a02a08e0a2df533407c7f

Download Submit
memory/1460-118-0x0000000000000000-mapping.dmp

Download
memory/2620-116-0x0000000004A90000-0x0000000004B8C000-memory.dmp

Filesize
1008KB

Download
memory/2620-115-0x00000000049A0000-0x0000000004A85000-memory.dmp

Filesize
916KB

Download
memory/2620-117-0x0000000000400000-0x0000000002C56000-memory.dmp

Filesize
40.3MB

Download