fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e

General
Target

fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe

Filesize

1MB

Completed

13-01-2022 13:33

Score
10/10
MD5

a5fb0a37f7ac9d8efe9c6dc4b5075777

SHA1

00a4ce2ac284e2cebf56d60398868435fb560cbd

SHA256

fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e

Malware Config

Extracted

Family danabot
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443
Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 4

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000600000001ab1b-119.datDanabotLoader2021
    behavioral1/files/0x000600000001ab1b-121.datDanabotLoader2021
    behavioral1/files/0x000600000001ab1b-120.datDanabotLoader2021
    behavioral1/memory/1000-122-0x0000000000920000-0x0000000000A71000-memory.dmpDanabotLoader2021
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1000rundll32.exe
    1000rundll32.exe
  • Suspicious use of WriteProcessMemory
    fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2444 wrote to memory of 10002444fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exerundll32.exe
    PID 2444 wrote to memory of 10002444fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exerundll32.exe
    PID 2444 wrote to memory of 10002444fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe
    "C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe"
    Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll,z C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe
      Loads dropped DLL
      PID:1000
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll

                            MD5

                            191c50d283bf7567c9f6f6991d16161d

                            SHA1

                            b396ef81fd678f5bc45970a8172174753ad95aaf

                            SHA256

                            a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020

                            SHA512

                            2d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll

                            MD5

                            191c50d283bf7567c9f6f6991d16161d

                            SHA1

                            b396ef81fd678f5bc45970a8172174753ad95aaf

                            SHA256

                            a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020

                            SHA512

                            2d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll

                            MD5

                            191c50d283bf7567c9f6f6991d16161d

                            SHA1

                            b396ef81fd678f5bc45970a8172174753ad95aaf

                            SHA256

                            a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020

                            SHA512

                            2d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d

                            Download Submit

                          • memory/1000-122-0x0000000000920000-0x0000000000A71000-memory.dmp

                            Download

                          • memory/1000-118-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2444-117-0x0000000000400000-0x0000000000529000-memory.dmp

                            Download

                          • memory/2444-115-0x0000000000960000-0x0000000000A45000-memory.dmp

                            Download

                          • memory/2444-116-0x0000000000A50000-0x0000000000B4D000-memory.dmp

                            Download