danabot | 2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

General

Target

f601ad405d65674d3fdd6d9625770487.exe
Size

1.1MB
MD5

f601ad405d65674d3fdd6d9625770487
SHA1

2d5a12ef12b560d3bb634fa37d78951169113949
SHA256

2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d
SHA512

1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll	DanabotLoader2021
behavioral2/memory/2432-122-0x0000000000CA0000-0x0000000000DF1000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2432 rundll32.exe
2432 rundll32.exe

pid	process
2432	rundll32.exe
2432	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f601ad405d65674d3fdd6d9625770487.exe

description	pid	process	target process
PID 492 wrote to memory of 2432	492	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 492 wrote to memory of 2432	492	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe
PID 492 wrote to memory of 2432	492	f601ad405d65674d3fdd6d9625770487.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe
"C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll,z C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe
2⤵
- Loads dropped DLL
PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
90d6511b232dfa8fcda6d7951cc5a3b0

SHA1
1f4434aeb484ec728696d99ee137e354047105ed

SHA256
bc9e2120d785287e68db559e26c73f80f0d555961450a33cf2617689f397658b

SHA512
74961586bd61da070a92cb852ef33b3ffdff46b8282a385dc1581c66d098e1a9aae99adf8f24e0f018b68646973932edb8f68449bc9ceb1e137c82591775436e

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
90d6511b232dfa8fcda6d7951cc5a3b0

SHA1
1f4434aeb484ec728696d99ee137e354047105ed

SHA256
bc9e2120d785287e68db559e26c73f80f0d555961450a33cf2617689f397658b

SHA512
74961586bd61da070a92cb852ef33b3ffdff46b8282a385dc1581c66d098e1a9aae99adf8f24e0f018b68646973932edb8f68449bc9ceb1e137c82591775436e

Download Submit
\Users\Admin\AppData\Local\Temp\f601ad405d65674d3fdd6d9625770487.exe.dll
MD5
90d6511b232dfa8fcda6d7951cc5a3b0

SHA1
1f4434aeb484ec728696d99ee137e354047105ed

SHA256
bc9e2120d785287e68db559e26c73f80f0d555961450a33cf2617689f397658b

SHA512
74961586bd61da070a92cb852ef33b3ffdff46b8282a385dc1581c66d098e1a9aae99adf8f24e0f018b68646973932edb8f68449bc9ceb1e137c82591775436e

Download Submit
memory/492-115-0x0000000004B90000-0x0000000004C74000-memory.dmp

Filesize
912KB

Download
memory/492-116-0x0000000004C80000-0x0000000004D7C000-memory.dmp

Filesize
1008KB

Download
memory/492-117-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download
memory/2432-118-0x0000000000000000-mapping.dmp

Download
memory/2432-122-0x0000000000CA0000-0x0000000000DF1000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing