danabot | 1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a

General

Target

0347b84f4e3d0aa6a1009f509539e2b1.exe
Size

1.1MB
MD5

0347b84f4e3d0aa6a1009f509539e2b1
SHA1

48186b9449ca1bbce11c8cc03d5b2c790fb8db40
SHA256

1027b3f9e451a16896a4b06e851002ab01ca153421b17cbad6b0e73fac85ed4a
SHA512

a9a070821792f07feacdfe3a1d43bd7d2ecd1416a068ad10a3990f78cc9b2c57f58e5db9fb7be483d9cd9f23fd815a9162adbdaa0635264525c5aa55cf4ede55

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

192.236.194.72:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll	DanabotLoader2021
behavioral1/memory/1356-66-0x0000000000860000-0x00000000009AD000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1356 rundll32.exe
1356 rundll32.exe
1356 rundll32.exe
1356 rundll32.exe

pid	process
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0347b84f4e3d0aa6a1009f509539e2b1.exe

description	pid	process	target process
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe
PID 740 wrote to memory of 1356	740	0347b84f4e3d0aa6a1009f509539e2b1.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe
"C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll,z C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe
2⤵
- Loads dropped DLL
PID:1356

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll
MD5
d2c690f176851df4bd749dcaf98c9cab

SHA1
2710968ed52181c2e608ce47f9c40c288000bfdd

SHA256
f2de8846f8e047dd66a2f2362213a06d19ff0ad83cba4ef7a5c39a7a83e0d626

SHA512
5869942743542bf7ab00704f8b179dda6880c6e4fd6a5ba921f2dfb0da5743a0140ab91ba45bde4b0d04ff7bf6ce7aacfc78cf29c8359a4e1dccf3405a0954f4

Download Submit
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll
MD5
d2c690f176851df4bd749dcaf98c9cab

SHA1
2710968ed52181c2e608ce47f9c40c288000bfdd

SHA256
f2de8846f8e047dd66a2f2362213a06d19ff0ad83cba4ef7a5c39a7a83e0d626

SHA512
5869942743542bf7ab00704f8b179dda6880c6e4fd6a5ba921f2dfb0da5743a0140ab91ba45bde4b0d04ff7bf6ce7aacfc78cf29c8359a4e1dccf3405a0954f4

Download Submit
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll
MD5
d2c690f176851df4bd749dcaf98c9cab

SHA1
2710968ed52181c2e608ce47f9c40c288000bfdd

SHA256
f2de8846f8e047dd66a2f2362213a06d19ff0ad83cba4ef7a5c39a7a83e0d626

SHA512
5869942743542bf7ab00704f8b179dda6880c6e4fd6a5ba921f2dfb0da5743a0140ab91ba45bde4b0d04ff7bf6ce7aacfc78cf29c8359a4e1dccf3405a0954f4

Download Submit
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll
MD5
d2c690f176851df4bd749dcaf98c9cab

SHA1
2710968ed52181c2e608ce47f9c40c288000bfdd

SHA256
f2de8846f8e047dd66a2f2362213a06d19ff0ad83cba4ef7a5c39a7a83e0d626

SHA512
5869942743542bf7ab00704f8b179dda6880c6e4fd6a5ba921f2dfb0da5743a0140ab91ba45bde4b0d04ff7bf6ce7aacfc78cf29c8359a4e1dccf3405a0954f4

Download Submit
\Users\Admin\AppData\Local\Temp\0347b84f4e3d0aa6a1009f509539e2b1.exe.dll
MD5
d2c690f176851df4bd749dcaf98c9cab

SHA1
2710968ed52181c2e608ce47f9c40c288000bfdd

SHA256
f2de8846f8e047dd66a2f2362213a06d19ff0ad83cba4ef7a5c39a7a83e0d626

SHA512
5869942743542bf7ab00704f8b179dda6880c6e4fd6a5ba921f2dfb0da5743a0140ab91ba45bde4b0d04ff7bf6ce7aacfc78cf29c8359a4e1dccf3405a0954f4

Download Submit
memory/740-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/740-56-0x0000000004590000-0x0000000004672000-memory.dmp

Filesize
904KB

Download
memory/740-57-0x0000000004680000-0x000000000477A000-memory.dmp

Filesize
1000KB

Download
memory/740-58-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/1356-59-0x0000000000000000-mapping.dmp

Download
memory/1356-66-0x0000000000860000-0x00000000009AD000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing