danabot | 1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a

Analysis

Target

1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe
Size

1.1MB
MD5

0347b84f4e3d0aa6a1009f509539e2b1
SHA1

48186b9449ca1bbce11c8cc03d5b2c790fb8db40
SHA256

1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a
SHA512

a9a070821792f07feacdfe3a1d43bd7d2ecd1416a068ad10a3990f78cc9b2c57f58e5db9fb7be483d9cd9f23fd815a9162adbdaa0635264525c5aa55cf4ede55

Score

10^/10

Family

danabot

Botnet

192.119.110.4:443

192.236.194.72:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe.dll	DanabotLoader2021

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4332 rundll32.exe

pid	process
4332	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe

description	pid	process	target process
PID 3576 wrote to memory of 4332	3576	1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe	rundll32.exe
PID 3576 wrote to memory of 4332	3576	1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe	rundll32.exe
PID 3576 wrote to memory of 4332	3576	1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe
"C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe.dll,z C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe
2⤵
- Loads dropped DLL
PID:4332

C:\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe.dll
MD5
224b6baefb01da891ceace2dd870b5e4

SHA1
f3b7d9dfd46cd2f8b2d316f47509e28e74471236

SHA256
d712464f4f102d839f151e9ab1286b7ba10a799cae679f7b1476a64c3904edf9

SHA512
20a5f4284e75f45d2d87dd26d6b05c2b0989b7278cf713fe56fd8b21ce67caea99f677a0449b7587fae67b9b467dcb526dc627511a5bf42f8f119f171a049baf

Download Submit
\Users\Admin\AppData\Local\Temp\1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a.exe.dll
MD5
224b6baefb01da891ceace2dd870b5e4

SHA1
f3b7d9dfd46cd2f8b2d316f47509e28e74471236

SHA256
d712464f4f102d839f151e9ab1286b7ba10a799cae679f7b1476a64c3904edf9

SHA512
20a5f4284e75f45d2d87dd26d6b05c2b0989b7278cf713fe56fd8b21ce67caea99f677a0449b7587fae67b9b467dcb526dc627511a5bf42f8f119f171a049baf

Download Submit
memory/3576-116-0x0000000004BC0000-0x0000000004CBA000-memory.dmp

Filesize
1000KB

Download
memory/3576-115-0x0000000004A90000-0x0000000004B72000-memory.dmp

Filesize
904KB

Download
memory/3576-117-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4332-118-0x0000000000000000-mapping.dmp

Download