3b2e2b369895d2fd94a07ef3c66978c5.exe

General
Target

3b2e2b369895d2fd94a07ef3c66978c5.exe

Filesize

1MB

Completed

10-01-2022 08:00

Score
10/10
MD5

3b2e2b369895d2fd94a07ef3c66978c5

SHA1

91a09480fad625eae27f4df3e6de3e7e2cfec949

SHA256

220952caf42db06de1b1b80c1f95884419ebd90a667a07fa8da6792db1404316

Malware Config

Extracted

Family danabot
Botnet 4
C2

192.119.110.4:443

103.175.16.113:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 4

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000600000001ab74-119.datDanabotLoader2021
    behavioral2/files/0x000600000001ab74-120.datDanabotLoader2021
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    2864rundll32.exe
  • Suspicious use of WriteProcessMemory
    3b2e2b369895d2fd94a07ef3c66978c5.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2704 wrote to memory of 286427043b2e2b369895d2fd94a07ef3c66978c5.exerundll32.exe
    PID 2704 wrote to memory of 286427043b2e2b369895d2fd94a07ef3c66978c5.exerundll32.exe
    PID 2704 wrote to memory of 286427043b2e2b369895d2fd94a07ef3c66978c5.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe
    "C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe"
    Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll,z C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe
      Loads dropped DLL
      PID:2864
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll

                            MD5

                            67be156a9e8aa3b3f85e8fcf3e5d610c

                            SHA1

                            9f1a6d241566e8023d52013f93a56928bd57658e

                            SHA256

                            64afd7ccbe2db294e4ea84e915ec2b9f1774b4034bfa541253f689588b328180

                            SHA512

                            0774f9cc7dbc72483a1e5ebc4fb90fd6b819cf4d633fe35fa07c95867a381a26b7dc3dcf493552e0d53aea7d2eeb7e059b98699ac96f62cc28b2b618fbd4bee3

                          • \Users\Admin\AppData\Local\Temp\3b2e2b369895d2fd94a07ef3c66978c5.exe.dll

                            MD5

                            67be156a9e8aa3b3f85e8fcf3e5d610c

                            SHA1

                            9f1a6d241566e8023d52013f93a56928bd57658e

                            SHA256

                            64afd7ccbe2db294e4ea84e915ec2b9f1774b4034bfa541253f689588b328180

                            SHA512

                            0774f9cc7dbc72483a1e5ebc4fb90fd6b819cf4d633fe35fa07c95867a381a26b7dc3dcf493552e0d53aea7d2eeb7e059b98699ac96f62cc28b2b618fbd4bee3

                          • memory/2704-115-0x0000000004AE0000-0x0000000004BC3000-memory.dmp

                          • memory/2704-116-0x0000000004BF0000-0x0000000004CEA000-memory.dmp

                          • memory/2704-117-0x0000000000400000-0x0000000002C59000-memory.dmp

                          • memory/2864-118-0x0000000000000000-mapping.dmp