9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12

General
Target

9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe

Filesize

1MB

Completed

12-01-2022 16:23

Score
10/10
MD5

a8c9c70c215549f68555476f80cd20e9

SHA1

d499cf0f21c0fba8aaf6e0eb44d4bca3d754da5c

SHA256

9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12

Malware Config

Extracted

Family danabot
Botnet 4
C2

209.127.27.22:443

103.175.16.114:443

103.175.16.113:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 3

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    3412rundll32.exe
  • Suspicious use of WriteProcessMemory
    9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2620 wrote to memory of 341226209ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exerundll32.exe
    PID 2620 wrote to memory of 341226209ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exerundll32.exe
    PID 2620 wrote to memory of 341226209ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe
    "C:\Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe"
    Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe.dll,z C:\Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe
      Loads dropped DLL
      PID:3412
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe.dll

                            MD5

                            63e7721d625a817cbc42fb1ea865e85f

                            SHA1

                            e363acb56fc9622beee848ce28e922fdde044428

                            SHA256

                            73efda7fdc00bcf22b46900628bee1beba0057d3fa851b9a40117fe7779510a7

                            SHA512

                            7e104be4a0d277fefdfae170e6b8edfd7563a9705a6aaa759d459bbec04f5ea946c89eaadb620d3ab9f8ea9ef77c8c3c18ceaf94103a8236828094bf500924cd

                          • \Users\Admin\AppData\Local\Temp\9ebcbf93b00f37d17be91cc3dac5ee946f6a7535600d41990d692bfc8bc43c12.exe.dll

                            MD5

                            63e7721d625a817cbc42fb1ea865e85f

                            SHA1

                            e363acb56fc9622beee848ce28e922fdde044428

                            SHA256

                            73efda7fdc00bcf22b46900628bee1beba0057d3fa851b9a40117fe7779510a7

                            SHA512

                            7e104be4a0d277fefdfae170e6b8edfd7563a9705a6aaa759d459bbec04f5ea946c89eaadb620d3ab9f8ea9ef77c8c3c18ceaf94103a8236828094bf500924cd

                          • memory/2620-115-0x000000000097F000-0x0000000000A62000-memory.dmp

                          • memory/2620-116-0x0000000000A70000-0x0000000000B6B000-memory.dmp

                          • memory/2620-117-0x0000000000400000-0x000000000063C000-memory.dmp

                          • memory/3412-118-0x0000000000000000-mapping.dmp