3b2e2b369895d2fd94a07ef3c66978c5.exe

max time kernel135s
max time network149s
platformwindows10_x64
resourcewin10-en-20211208
submitted10-01-2022 07:58

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

Filesize

1MB

Completed

10-01-2022 08:00

Score

10^/10

MD5

3b2e2b369895d2fd94a07ef3c66978c5

SHA1

91a09480fad625eae27f4df3e6de3e7e2cfec949

SHA256

220952caf42db06de1b1b80c1f95884419ebd90a667a07fa8da6792db1404316

Extracted

Family	danabot
Botnet	4
C2	192.119.110.4:443 103.175.16.113:443 192.119.110.4:443 103.175.16.113:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type loader
rsa_pubkey.plain
rsa_privkey.plain

Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot

Danabot Loader Component

Reported IOCs

resource	yara_rule
behavioral2/files/0x000600000001ab74-119.dat	DanabotLoader2021
behavioral2/files/0x000600000001ab74-120.dat	DanabotLoader2021

Loads dropped DLL
rundll32.exe

Reported IOCs

pid process

2864 rundll32.exe

pid	process
2864	rundll32.exe

Suspicious use of WriteProcessMemory

3b2e2b369895d2fd94a07ef3c66978c5.exe

Reported IOCs

description	pid	process	target process
PID 2704 wrote to memory of 2864	2704	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 2704 wrote to memory of 2864	2704	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe
PID 2704 wrote to memory of 2864	2704	3b2e2b369895d2fd94a07ef3c66978c5.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe

"C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe"

Suspicious use of WriteProcessMemory

PID:2704

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll,z C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe

Loads dropped DLL

PID:2864

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
67be156a9e8aa3b3f85e8fcf3e5d610c

SHA1
9f1a6d241566e8023d52013f93a56928bd57658e

SHA256
64afd7ccbe2db294e4ea84e915ec2b9f1774b4034bfa541253f689588b328180

SHA512
0774f9cc7dbc72483a1e5ebc4fb90fd6b819cf4d633fe35fa07c95867a381a26b7dc3dcf493552e0d53aea7d2eeb7e059b98699ac96f62cc28b2b618fbd4bee3

Download Submit
\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll
MD5
67be156a9e8aa3b3f85e8fcf3e5d610c

SHA1
9f1a6d241566e8023d52013f93a56928bd57658e

SHA256
64afd7ccbe2db294e4ea84e915ec2b9f1774b4034bfa541253f689588b328180

SHA512
0774f9cc7dbc72483a1e5ebc4fb90fd6b819cf4d633fe35fa07c95867a381a26b7dc3dcf493552e0d53aea7d2eeb7e059b98699ac96f62cc28b2b618fbd4bee3

Download Submit
memory/2704-115-0x0000000004AE0000-0x0000000004BC3000-memory.dmp

Download
memory/2704-116-0x0000000004BF0000-0x0000000004CEA000-memory.dmp

Download
memory/2704-117-0x0000000000400000-0x0000000002C59000-memory.dmp

Download
memory/2864-118-0x0000000000000000-mapping.dmp

Download

3b2e2b369895d2fd94a07ef3c66978c5.exe

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title