danabot | f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c

Analysis

Target

f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe
Size

1.1MB
MD5

51913f93259de85f17d3590a8263589d
SHA1

c36fb4dade6e0c69e81b8e2f2a69090471c22f7a
SHA256

f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c
SHA512

dca6b3579463af33792171d29ecb711c7bef7e83efb38cf43c37b3dd654267847851223caeef5a260a596c5d9a27f14b59ba969ceb6a0678d2515a1b5f601c82

Score

10^/10

Family

danabot

Botnet

209.127.27.22:443

103.175.16.114:443

103.175.16.113:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe.dll	DanabotLoader2021

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4228 rundll32.exe

pid	process
4228	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe

description	pid	process	target process
PID 344 wrote to memory of 4228	344	f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe	rundll32.exe
PID 344 wrote to memory of 4228	344	f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe	rundll32.exe
PID 344 wrote to memory of 4228	344	f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe
"C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe.dll,z C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe
2⤵
- Loads dropped DLL
PID:4228

C:\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe.dll
MD5
0afa9091328834665946d45b4f9b61b8

SHA1
c5175a0e0522bfe9889904ef1d765d04d272a64e

SHA256
08415b93a560bdf8a28bd646de06fd244127b34e9c91c14b54f62d33e68a70b7

SHA512
b861bb27bea714e3a06181b3765ab92bc76308c2f7761c05243b01feecad045a6036339b43ba0f62c3af45ed0429e810fbd8e27bb3d6333cfa7725f67cf3c6b2

Download Submit
\Users\Admin\AppData\Local\Temp\f38ab9b98774509a4d1dbadc3f5c9a5f927979736ff89dd5892b380a9f09738c.exe.dll
MD5
0afa9091328834665946d45b4f9b61b8

SHA1
c5175a0e0522bfe9889904ef1d765d04d272a64e

SHA256
08415b93a560bdf8a28bd646de06fd244127b34e9c91c14b54f62d33e68a70b7

SHA512
b861bb27bea714e3a06181b3765ab92bc76308c2f7761c05243b01feecad045a6036339b43ba0f62c3af45ed0429e810fbd8e27bb3d6333cfa7725f67cf3c6b2

Download Submit
memory/344-115-0x000000000092F000-0x0000000000A14000-memory.dmp

Filesize
916KB

Download
memory/344-117-0x0000000000400000-0x000000000063F000-memory.dmp

Filesize
2.2MB

Download
memory/344-116-0x0000000000A20000-0x0000000000B1C000-memory.dmp

Filesize
1008KB

Download
memory/4228-118-0x0000000000000000-mapping.dmp

Download