danabot | 7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

General

Target

f8151b5d4c4e62166a8c2e914f54cbb7.exe
Size

1.1MB
MD5

f8151b5d4c4e62166a8c2e914f54cbb7
SHA1

ee9da83f51b904db29d14847a013c4cff7ea6711
SHA256

7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA512

0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

192.236.194.72:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll	DanabotLoader2021
behavioral1/memory/560-65-0x0000000000A50000-0x0000000000B9D000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

560 rundll32.exe
560 rundll32.exe
560 rundll32.exe
560 rundll32.exe

pid	process
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f8151b5d4c4e62166a8c2e914f54cbb7.exe

description	pid	process	target process
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe
PID 1532 wrote to memory of 560	1532	f8151b5d4c4e62166a8c2e914f54cbb7.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe
"C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll,z C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe
2⤵
- Loads dropped DLL
PID:560

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll
MD5
c0d76b2d42082fc8a8c2c937f03d6906

SHA1
b745c15f81b406efc26c7249e9065c7ab4fca30b

SHA256
76d3267446ba23d62504459cf935e1bb2bcec49d74817b6c1ca4aa00e87e7c89

SHA512
244b3bb31636d2911123558fdbe2ebfb0afb8bda82b9bfd6562d1a654fd99e9b0791ffdad1940c85d02a23b297c7398ffbc4b48ade8ace76fd699cfdf2dd04bd

Download Submit
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll
MD5
c0d76b2d42082fc8a8c2c937f03d6906

SHA1
b745c15f81b406efc26c7249e9065c7ab4fca30b

SHA256
76d3267446ba23d62504459cf935e1bb2bcec49d74817b6c1ca4aa00e87e7c89

SHA512
244b3bb31636d2911123558fdbe2ebfb0afb8bda82b9bfd6562d1a654fd99e9b0791ffdad1940c85d02a23b297c7398ffbc4b48ade8ace76fd699cfdf2dd04bd

Download Submit
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll
MD5
c0d76b2d42082fc8a8c2c937f03d6906

SHA1
b745c15f81b406efc26c7249e9065c7ab4fca30b

SHA256
76d3267446ba23d62504459cf935e1bb2bcec49d74817b6c1ca4aa00e87e7c89

SHA512
244b3bb31636d2911123558fdbe2ebfb0afb8bda82b9bfd6562d1a654fd99e9b0791ffdad1940c85d02a23b297c7398ffbc4b48ade8ace76fd699cfdf2dd04bd

Download Submit
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll
MD5
c0d76b2d42082fc8a8c2c937f03d6906

SHA1
b745c15f81b406efc26c7249e9065c7ab4fca30b

SHA256
76d3267446ba23d62504459cf935e1bb2bcec49d74817b6c1ca4aa00e87e7c89

SHA512
244b3bb31636d2911123558fdbe2ebfb0afb8bda82b9bfd6562d1a654fd99e9b0791ffdad1940c85d02a23b297c7398ffbc4b48ade8ace76fd699cfdf2dd04bd

Download Submit
\Users\Admin\AppData\Local\Temp\f8151b5d4c4e62166a8c2e914f54cbb7.exe.dll
MD5
c0d76b2d42082fc8a8c2c937f03d6906

SHA1
b745c15f81b406efc26c7249e9065c7ab4fca30b

SHA256
76d3267446ba23d62504459cf935e1bb2bcec49d74817b6c1ca4aa00e87e7c89

SHA512
244b3bb31636d2911123558fdbe2ebfb0afb8bda82b9bfd6562d1a654fd99e9b0791ffdad1940c85d02a23b297c7398ffbc4b48ade8ace76fd699cfdf2dd04bd

Download Submit
memory/560-58-0x0000000000000000-mapping.dmp

Download
memory/560-65-0x0000000000A50000-0x0000000000B9D000-memory.dmp

Filesize
1.3MB

Download
memory/1532-54-0x00000000045F0000-0x00000000046D2000-memory.dmp

Filesize
904KB

Download
memory/1532-55-0x00000000046E0000-0x00000000047DA000-memory.dmp

Filesize
1000KB

Download
memory/1532-56-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/1532-57-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download

Analysis

Sharing