5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898

max time kernel135s
max time network123s
platformwindows10_x64
resourcewin10-en-20211208
submitted09-01-2022 08:50

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe

Filesize

1MB

Completed

09-01-2022 08:52

Score

10^/10

MD5

a93ffb2c4f7d50f83ead908ffc5e1afa

SHA1

bef89d62bea9bb3987c5f1fa12a75ef0d8d7546c

SHA256

5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898

Extracted

Family	danabot
Botnet	4
C2	192.119.110.4:443 103.175.16.113:443 192.119.110.4:443 103.175.16.113:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type loader
rsa_pubkey.plain
rsa_privkey.plain

Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot

Danabot Loader Component

Reported IOCs

resource	yara_rule
behavioral1/files/0x000600000001ab3f-119.dat	DanabotLoader2021
behavioral1/files/0x000600000001ab3f-120.dat	DanabotLoader2021

Loads dropped DLL
rundll32.exe

Reported IOCs

pid process

3096 rundll32.exe

pid	process
3096	rundll32.exe

Suspicious use of WriteProcessMemory

5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe

Reported IOCs

description	pid	process	target process
PID 2608 wrote to memory of 3096	2608	5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe	rundll32.exe
PID 2608 wrote to memory of 3096	2608	5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe	rundll32.exe
PID 2608 wrote to memory of 3096	2608	5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe

"C:\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe"

Suspicious use of WriteProcessMemory

PID:2608

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe.dll,z C:\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe

Loads dropped DLL

PID:3096

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe.dll
MD5
8b0ff7cd041f1fea453e246fc934ec10

SHA1
e36ebc54ecec088ded6fb63e977ee7be8a18e221

SHA256
7f63c21d9f6b3eee4a2fa2721d5bb93b4f53843c2e78c10cc2452c10ebd92d3e

SHA512
4fe5ba3c9db9e160ad37a288f917daec0669f97839d831340c132f3bfa68fce4732ee31fea38de274357ff1522795ea6eea030ae2538ca7b283c279d7ac6d16b

Download Submit
\Users\Admin\AppData\Local\Temp\5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898.exe.dll
MD5
8b0ff7cd041f1fea453e246fc934ec10

SHA1
e36ebc54ecec088ded6fb63e977ee7be8a18e221

SHA256
7f63c21d9f6b3eee4a2fa2721d5bb93b4f53843c2e78c10cc2452c10ebd92d3e

SHA512
4fe5ba3c9db9e160ad37a288f917daec0669f97839d831340c132f3bfa68fce4732ee31fea38de274357ff1522795ea6eea030ae2538ca7b283c279d7ac6d16b

Download Submit
memory/2608-115-0x00000000049E0000-0x0000000004AC5000-memory.dmp

Download
memory/2608-117-0x0000000000400000-0x0000000002C5C000-memory.dmp

Download
memory/2608-116-0x0000000004AD0000-0x0000000004BCC000-memory.dmp

Download
memory/3096-118-0x0000000000000000-mapping.dmp

Download

5a7eb6eb7f9d5076f89d114fc2be8e5ea4541f718c5dca06966ec18c4622b898

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title