Analysis

  • max time kernel
    140s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    13-01-2022 15:32

General

  • Target

    d57c5f0618d68902c6b7e8fa7b888641.exe

  • Size

    1.1MB

  • MD5

    d57c5f0618d68902c6b7e8fa7b888641

  • SHA1

    06693ad79544d8f5172d48a938ba949499ba6c60

  • SHA256

    eb5966c02b728346e88e69ac3f63da4ec863a3e0d0754937c0f56799d3718d3d

  • SHA512

    f48c04fad244d0c6d8a6a6d4ca5ae196184f43c18ac981a59101269bf2d8eb0834ad5b0138897c002bf507b0b8e3870afcc92d659035c40f7c246f524a6e9e6d

Score
10/10

Malware Config

Extracted

Family

danabot

Botnet

4

C2

103.175.16.113:443

103.175.16.114:443

Attributes
  • embedded_hash

    422236FD601D11EE82825A484D26DD6F

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe
    "C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll,z C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe
      2⤵
      • Loads dropped DLL
      PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
    MD5

    c4d1d0bbbcca730fe0e523a1f064ef8e

    SHA1

    f23ac88650134ca1bfcd269ae7ce444c3dacf791

    SHA256

    4612c2cecb1db491103538d61715a397d779eee89f907d79f16fc7c0adf07c5f

    SHA512

    6e2fe1998b6e3dab15e4c72a91a86e6e4341982a5817770d22320ba8666cfbbe483444e3c82107db088d8ce882ead752aa61e55c5cc85311ce8964eca854c308

  • \Users\Admin\AppData\Local\Temp\d57c5f0618d68902c6b7e8fa7b888641.exe.dll
    MD5

    c4d1d0bbbcca730fe0e523a1f064ef8e

    SHA1

    f23ac88650134ca1bfcd269ae7ce444c3dacf791

    SHA256

    4612c2cecb1db491103538d61715a397d779eee89f907d79f16fc7c0adf07c5f

    SHA512

    6e2fe1998b6e3dab15e4c72a91a86e6e4341982a5817770d22320ba8666cfbbe483444e3c82107db088d8ce882ead752aa61e55c5cc85311ce8964eca854c308

  • memory/2512-118-0x0000000000000000-mapping.dmp
  • memory/3336-116-0x0000000000910000-0x0000000000A0D000-memory.dmp
    Filesize

    1012KB

  • memory/3336-115-0x00000000007F0000-0x00000000008D5000-memory.dmp
    Filesize

    916KB

  • memory/3336-117-0x0000000000400000-0x0000000000529000-memory.dmp
    Filesize

    1.2MB