d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c

General
Target

d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe

Filesize

1MB

Completed

13-01-2022 08:24

Score
10/10
MD5

a012615d823d78cf7ebe845cfc2a2102

SHA1

769d1c1dbeb0ab368ed3c094d4a468903e7e1e01

SHA256

d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c

Malware Config

Extracted

Family danabot
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 4

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000600000001ab74-119.datDanabotLoader2021
    behavioral1/files/0x000600000001ab74-121.datDanabotLoader2021
    behavioral1/files/0x000600000001ab74-120.datDanabotLoader2021
    behavioral1/memory/3052-122-0x0000000000DE0000-0x0000000000F31000-memory.dmpDanabotLoader2021
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    3052rundll32.exe
    3052rundll32.exe
  • Suspicious use of WriteProcessMemory
    d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2152 wrote to memory of 30522152d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exerundll32.exe
    PID 2152 wrote to memory of 30522152d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exerundll32.exe
    PID 2152 wrote to memory of 30522152d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe
    "C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe"
    Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dll,z C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe
      Loads dropped DLL
      PID:3052
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dll

                            MD5

                            719f0c75dccb9ef0718ae6b452ff737d

                            SHA1

                            02944034174a09579f6e2b035823b3204be06db7

                            SHA256

                            8bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a

                            SHA512

                            e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f

                          • \Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dll

                            MD5

                            719f0c75dccb9ef0718ae6b452ff737d

                            SHA1

                            02944034174a09579f6e2b035823b3204be06db7

                            SHA256

                            8bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a

                            SHA512

                            e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f

                          • \Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dll

                            MD5

                            719f0c75dccb9ef0718ae6b452ff737d

                            SHA1

                            02944034174a09579f6e2b035823b3204be06db7

                            SHA256

                            8bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a

                            SHA512

                            e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f

                          • memory/2152-115-0x0000000000940000-0x0000000000A25000-memory.dmp

                          • memory/2152-117-0x0000000000400000-0x0000000000529000-memory.dmp

                          • memory/2152-116-0x0000000000A30000-0x0000000000B2D000-memory.dmp

                          • memory/3052-118-0x0000000000000000-mapping.dmp

                          • memory/3052-122-0x0000000000DE0000-0x0000000000F31000-memory.dmp