3b2e2b369895d2fd94a07ef3c66978c5.exe

max time kernel120s
max time network120s
platformwindows7_x64
resourcewin7-en-20211208
submitted10-01-2022 07:58

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

1MB

Completed

10-01-2022 08:00

Score

10^/10

MD5

3b2e2b369895d2fd94a07ef3c66978c5

SHA1

91a09480fad625eae27f4df3e6de3e7e2cfec949

SHA256

220952caf42db06de1b1b80c1f95884419ebd90a667a07fa8da6792db1404316

Extracted

Family	danabot
Botnet	4
C2	192.119.110.4:443 103.175.16.113:443 192.119.110.4:443 103.175.16.113:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type loader
rsa_pubkey.plain
rsa_privkey.plain

Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot

Danabot Loader Component

Reported IOCs

resource	yara_rule
behavioral1/files/0x0006000000014076-60.dat	DanabotLoader2021
behavioral1/files/0x0006000000014076-59.dat	DanabotLoader2021
behavioral1/files/0x0006000000014076-61.dat	DanabotLoader2021
behavioral1/files/0x0006000000014076-62.dat	DanabotLoader2021
behavioral1/files/0x0006000000014076-63.dat	DanabotLoader2021
behavioral1/memory/1288-64-0x0000000000790000-0x00000000008DE000-memory.dmp	DanabotLoader2021

Loads dropped DLL
rundll32.exe

Reported IOCs

pid process

1288 rundll32.exe
1288 rundll32.exe
1288 rundll32.exe
1288 rundll32.exe

pid	process
1288	rundll32.exe
1288	rundll32.exe
1288	rundll32.exe
1288	rundll32.exe

Suspicious use of WriteProcessMemory

3b2e2b369895d2fd94a07ef3c66978c5.exe

Reported IOCs

description	pid	process	target process
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 1688 wrote to memory of 1288	1688	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe

"C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe"

Suspicious use of WriteProcessMemory

PID:1688

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll,z C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe

Loads dropped DLL

PID:1288

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
86bb9440a483e122e40cba72f6790ac1

SHA1
f9f87936259c4439e97fb07eac5c0e18915d0d7f

SHA256
d461c7b2b7659541facb628577479a7e117e8a4d191b6e778615de9418ae871c

SHA512
d6e56a721babea9ef63036e441158de025be20f3ce5ab69b6a7915a8012a072f882a266ff4566e30002a41ba7b6bc41ba7ee91ba0a21d5f7c5d6041afbeceb27

Download Submit
\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
86bb9440a483e122e40cba72f6790ac1

SHA1
f9f87936259c4439e97fb07eac5c0e18915d0d7f

SHA256
d461c7b2b7659541facb628577479a7e117e8a4d191b6e778615de9418ae871c

SHA512
d6e56a721babea9ef63036e441158de025be20f3ce5ab69b6a7915a8012a072f882a266ff4566e30002a41ba7b6bc41ba7ee91ba0a21d5f7c5d6041afbeceb27

Download Submit
\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
86bb9440a483e122e40cba72f6790ac1

SHA1
f9f87936259c4439e97fb07eac5c0e18915d0d7f

SHA256
d461c7b2b7659541facb628577479a7e117e8a4d191b6e778615de9418ae871c

SHA512
d6e56a721babea9ef63036e441158de025be20f3ce5ab69b6a7915a8012a072f882a266ff4566e30002a41ba7b6bc41ba7ee91ba0a21d5f7c5d6041afbeceb27

Download Submit
\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
86bb9440a483e122e40cba72f6790ac1

SHA1
f9f87936259c4439e97fb07eac5c0e18915d0d7f

SHA256
d461c7b2b7659541facb628577479a7e117e8a4d191b6e778615de9418ae871c

SHA512
d6e56a721babea9ef63036e441158de025be20f3ce5ab69b6a7915a8012a072f882a266ff4566e30002a41ba7b6bc41ba7ee91ba0a21d5f7c5d6041afbeceb27

Download Submit
\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
86bb9440a483e122e40cba72f6790ac1

SHA1
f9f87936259c4439e97fb07eac5c0e18915d0d7f

SHA256
d461c7b2b7659541facb628577479a7e117e8a4d191b6e778615de9418ae871c

SHA512
d6e56a721babea9ef63036e441158de025be20f3ce5ab69b6a7915a8012a072f882a266ff4566e30002a41ba7b6bc41ba7ee91ba0a21d5f7c5d6041afbeceb27

Download Submit
memory/1288-57-0x0000000000000000-mapping.dmp

Download
memory/1288-64-0x0000000000790000-0x00000000008DE000-memory.dmp

Download
memory/1688-54-0x00000000045D0000-0x00000000046CA000-memory.dmp

Download
memory/1688-53-0x00000000044E0000-0x00000000045C3000-memory.dmp

Download
memory/1688-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Download
memory/1688-56-0x0000000000400000-0x0000000002C59000-memory.dmp

Download

3b2e2b369895d2fd94a07ef3c66978c5.exe

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title