danabot | 8b73e5a9e4093166d04fcee33db13db39dacbb6a2bb8282282e1ab9558fddc86

Target

a07a26961fcd37fbbbe292225e069243.exe
Size

1.2MB
MD5

a07a26961fcd37fbbbe292225e069243
SHA1

d4f3c4d7045865e52284544c1957cf3786902404
SHA256

8b73e5a9e4093166d04fcee33db13db39dacbb6a2bb8282282e1ab9558fddc86
SHA512

81fe9aa924055f4a039cd662d4244bbf9a48b6698fbb6bffd891cd59d55a613e67011bcc3ad2420f9d7bf4d2447abdccbf4caff086ab2ae7331e6aa3191fd769

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5.253.84.124:443

103.175.16.114:443

193.34.166.107:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll	DanabotLoader2021
behavioral1/memory/1592-66-0x00000000009E0000-0x0000000000B30000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

2 1592 rundll32.exe
3 1592 rundll32.exe
4 1592 rundll32.exe
5 1592 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1592 rundll32.exe
1592 rundll32.exe
1592 rundll32.exe
1592 rundll32.exe

flow	pid	process
2	1592	rundll32.exe
3	1592	rundll32.exe
4	1592	rundll32.exe
5	1592	rundll32.exe

pid	process
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a07a26961fcd37fbbbe292225e069243.exe

description	pid	process	target process
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe
PID 1316 wrote to memory of 1592	1316	a07a26961fcd37fbbbe292225e069243.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe
"C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,z C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
MD5
d9690fe665bd41ab6b46c2bce894b6be

SHA1
5cf751456dfc21bcef162c5496253abafcab41c6

SHA256
493bfdb9cec2444fc02df160a73d3cbd1cbdc8f320ae655a83620aedad1b24f4

SHA512
c201bf13460bbd65c2c093863114993a780e08a8b2bc9e185aea36d72b1e18ee75f5e4cce715f5fd0f2a438528be28ef83d9587e86f56d4cc370b4c1f60df90b

Download Submit
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
MD5
d9690fe665bd41ab6b46c2bce894b6be

SHA1
5cf751456dfc21bcef162c5496253abafcab41c6

SHA256
493bfdb9cec2444fc02df160a73d3cbd1cbdc8f320ae655a83620aedad1b24f4

SHA512
c201bf13460bbd65c2c093863114993a780e08a8b2bc9e185aea36d72b1e18ee75f5e4cce715f5fd0f2a438528be28ef83d9587e86f56d4cc370b4c1f60df90b

Download Submit
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
MD5
d9690fe665bd41ab6b46c2bce894b6be

SHA1
5cf751456dfc21bcef162c5496253abafcab41c6

SHA256
493bfdb9cec2444fc02df160a73d3cbd1cbdc8f320ae655a83620aedad1b24f4

SHA512
c201bf13460bbd65c2c093863114993a780e08a8b2bc9e185aea36d72b1e18ee75f5e4cce715f5fd0f2a438528be28ef83d9587e86f56d4cc370b4c1f60df90b

Download Submit
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
MD5
d9690fe665bd41ab6b46c2bce894b6be

SHA1
5cf751456dfc21bcef162c5496253abafcab41c6

SHA256
493bfdb9cec2444fc02df160a73d3cbd1cbdc8f320ae655a83620aedad1b24f4

SHA512
c201bf13460bbd65c2c093863114993a780e08a8b2bc9e185aea36d72b1e18ee75f5e4cce715f5fd0f2a438528be28ef83d9587e86f56d4cc370b4c1f60df90b

Download Submit
\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
MD5
d9690fe665bd41ab6b46c2bce894b6be

SHA1
5cf751456dfc21bcef162c5496253abafcab41c6

SHA256
493bfdb9cec2444fc02df160a73d3cbd1cbdc8f320ae655a83620aedad1b24f4

SHA512
c201bf13460bbd65c2c093863114993a780e08a8b2bc9e185aea36d72b1e18ee75f5e4cce715f5fd0f2a438528be28ef83d9587e86f56d4cc370b4c1f60df90b

Download Submit
memory/1316-55-0x00000000002E0000-0x00000000003C4000-memory.dmp

Filesize
912KB

Download
memory/1316-56-0x00000000002E0000-0x00000000003C4000-memory.dmp

Filesize
912KB

Download
memory/1316-57-0x0000000000710000-0x000000000080B000-memory.dmp

Filesize
1004KB

Download
memory/1316-58-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1316-59-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/1592-66-0x00000000009E0000-0x0000000000B30000-memory.dmp

Filesize
1.3MB

Download