danabot | 2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

General

Target

f601ad405d65674d3fdd6d9625770487.exe
Size

1.1MB
MD5

f601ad405d65674d3fdd6d9625770487
SHA1

2d5a12ef12b560d3bb634fa37d78951169113949
SHA256

2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d
SHA512

1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
behavioral1/memory/1388-65-0x0000000002030000-0x0000000002181000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1388 rundll32.exe
1388 rundll32.exe
1388 rundll32.exe
1388 rundll32.exe

pid	process
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe
1388	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f601ad405d65674d3fdd6d9625770487.exe

description	pid	process	target process
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 1720 wrote to memory of 1388	1720	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe
"C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll,z C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe
2⤵
- Loads dropped DLL
PID:1388

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
78900eb565941850b29a31c6eb05ad7f

SHA1
441c2e4cb5e031986959b7e20d1fee5f3520fab1

SHA256
842442eb4770dc81dceab6878ea2ffdf393f6c58987e5051208d843e323a5563

SHA512
4c83b5405ccffe7b64d51d9949672482c49b63e8105ac750c171679df0d3fcc8663befea0f4f57fe7b1e27d7411680a021a7e89698222794f8317ff303426648

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
78900eb565941850b29a31c6eb05ad7f

SHA1
441c2e4cb5e031986959b7e20d1fee5f3520fab1

SHA256
842442eb4770dc81dceab6878ea2ffdf393f6c58987e5051208d843e323a5563

SHA512
4c83b5405ccffe7b64d51d9949672482c49b63e8105ac750c171679df0d3fcc8663befea0f4f57fe7b1e27d7411680a021a7e89698222794f8317ff303426648

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
78900eb565941850b29a31c6eb05ad7f

SHA1
441c2e4cb5e031986959b7e20d1fee5f3520fab1

SHA256
842442eb4770dc81dceab6878ea2ffdf393f6c58987e5051208d843e323a5563

SHA512
4c83b5405ccffe7b64d51d9949672482c49b63e8105ac750c171679df0d3fcc8663befea0f4f57fe7b1e27d7411680a021a7e89698222794f8317ff303426648

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
78900eb565941850b29a31c6eb05ad7f

SHA1
441c2e4cb5e031986959b7e20d1fee5f3520fab1

SHA256
842442eb4770dc81dceab6878ea2ffdf393f6c58987e5051208d843e323a5563

SHA512
4c83b5405ccffe7b64d51d9949672482c49b63e8105ac750c171679df0d3fcc8663befea0f4f57fe7b1e27d7411680a021a7e89698222794f8317ff303426648

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
78900eb565941850b29a31c6eb05ad7f

SHA1
441c2e4cb5e031986959b7e20d1fee5f3520fab1

SHA256
842442eb4770dc81dceab6878ea2ffdf393f6c58987e5051208d843e323a5563

SHA512
4c83b5405ccffe7b64d51d9949672482c49b63e8105ac750c171679df0d3fcc8663befea0f4f57fe7b1e27d7411680a021a7e89698222794f8317ff303426648

Download Submit
memory/1388-58-0x0000000000000000-mapping.dmp

Download
memory/1388-65-0x0000000002030000-0x0000000002181000-memory.dmp

Filesize
1.3MB

Download
memory/1720-55-0x0000000004690000-0x000000000478C000-memory.dmp

Filesize
1008KB

Download
memory/1720-54-0x00000000045A0000-0x0000000004684000-memory.dmp

Filesize
912KB

Download
memory/1720-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1720-57-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download

Analysis

Sharing