danabot | eb5966c02b728346e88e69ac3f63da4ec863a3e0d0754937c0f56799d3718d3d

General

Target

d57c5f0618d68902c6b7e8fa7b888641.exe
Size

1.1MB
MD5

d57c5f0618d68902c6b7e8fa7b888641
SHA1

06693ad79544d8f5172d48a938ba949499ba6c60
SHA256

eb5966c02b728346e88e69ac3f63da4ec863a3e0d0754937c0f56799d3718d3d
SHA512

f48c04fad244d0c6d8a6a6d4ca5ae196184f43c18ac981a59101269bf2d8eb0834ad5b0138897c002bf507b0b8e3870afcc92d659035c40f7c246f524a6e9e6d

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

103.175.16.113:443

103.175.16.114:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll	DanabotLoader2021
behavioral1/memory/1732-65-0x0000000001D60000-0x0000000001EB1000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1732 rundll32.exe
1732 rundll32.exe
1732 rundll32.exe
1732 rundll32.exe

pid	process
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d57c5f0618d68902c6b7e8fa7b888641.exe

description	pid	process	target process
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe
PID 748 wrote to memory of 1732	748	d57c5f0618d68902c6b7e8fa7b888641.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe
"C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll,z C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe
2⤵
- Loads dropped DLL
PID:1732

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
MD5
dabd9b8bcc720a649402f5f27eca245e

SHA1
9d165278dd792ed4d1c399cd5732d5fdb7d701c2

SHA256
26fa6fdbb4613151fb5c2b318b9e97bf43a2a6ff0847621df057b0dc4631dc43

SHA512
d87465e6c5f2ef498251959e6d94a89165f09503ec5157c29b610b0769eaea9f77f01da009dc209ca3f28ad2d168024245a5abb567a157e8e1fb7949f7525201

Download Submit
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
MD5
dabd9b8bcc720a649402f5f27eca245e

SHA1
9d165278dd792ed4d1c399cd5732d5fdb7d701c2

SHA256
26fa6fdbb4613151fb5c2b318b9e97bf43a2a6ff0847621df057b0dc4631dc43

SHA512
d87465e6c5f2ef498251959e6d94a89165f09503ec5157c29b610b0769eaea9f77f01da009dc209ca3f28ad2d168024245a5abb567a157e8e1fb7949f7525201

Download Submit
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
MD5
dabd9b8bcc720a649402f5f27eca245e

SHA1
9d165278dd792ed4d1c399cd5732d5fdb7d701c2

SHA256
26fa6fdbb4613151fb5c2b318b9e97bf43a2a6ff0847621df057b0dc4631dc43

SHA512
d87465e6c5f2ef498251959e6d94a89165f09503ec5157c29b610b0769eaea9f77f01da009dc209ca3f28ad2d168024245a5abb567a157e8e1fb7949f7525201

Download Submit
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
MD5
dabd9b8bcc720a649402f5f27eca245e

SHA1
9d165278dd792ed4d1c399cd5732d5fdb7d701c2

SHA256
26fa6fdbb4613151fb5c2b318b9e97bf43a2a6ff0847621df057b0dc4631dc43

SHA512
d87465e6c5f2ef498251959e6d94a89165f09503ec5157c29b610b0769eaea9f77f01da009dc209ca3f28ad2d168024245a5abb567a157e8e1fb7949f7525201

Download Submit
\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
MD5
dabd9b8bcc720a649402f5f27eca245e

SHA1
9d165278dd792ed4d1c399cd5732d5fdb7d701c2

SHA256
26fa6fdbb4613151fb5c2b318b9e97bf43a2a6ff0847621df057b0dc4631dc43

SHA512
d87465e6c5f2ef498251959e6d94a89165f09503ec5157c29b610b0769eaea9f77f01da009dc209ca3f28ad2d168024245a5abb567a157e8e1fb7949f7525201

Download Submit
memory/748-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/748-55-0x0000000000740000-0x0000000000825000-memory.dmp

Filesize
916KB

Download
memory/748-56-0x0000000000830000-0x000000000092D000-memory.dmp

Filesize
1012KB

Download
memory/748-57-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1732-58-0x0000000000000000-mapping.dmp

Download
memory/1732-65-0x0000000001D60000-0x0000000001EB1000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing