danabot | 904366df569ca7df61aad19676b06d0254f8ee9ec1a11c18db5f8e784793e867 | Triage

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 17:37

Sharing

Report Analysis Logs

General

Target

904366DF569CA7DF61AAD19676B06D0254F8EE9EC1A11.dll
Size

1.3MB
MD5

0171fe3ceb93d3fabc91189fed1dcd63
SHA1

6874b1c9221a7090e8ea270c6b81d7437b58e6a2
SHA256

904366df569ca7df61aad19676b06d0254f8ee9ec1a11c18db5f8e784793e867
SHA512

71fc3d4997c10a4f7e0c671757c970735206004c78a82b72a249927bd44996a8146a61113be03fa4b7a911a5bb9613c18067b1e73be8ec7d679ef52c7bd24ad4

Score

10^/10

danabot 4 banker suricata trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.73:443

192.236.192.201:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-130-0x0000000002510000-0x0000000002674000-memory.dmp	DanabotLoader2021

suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 2736 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2640 wrote to memory of 2736	2640	rundll32.exe	rundll32.exe
PID 2640 wrote to memory of 2736	2640	rundll32.exe	rundll32.exe
PID 2640 wrote to memory of 2736	2640	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\904366DF569CA7DF61AAD19676B06D0254F8EE9EC1A11.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\904366DF569CA7DF61AAD19676B06D0254F8EE9EC1A11.dll,#1
2⤵
- Blocklisted process makes network request
PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2736-130-0x0000000002510000-0x0000000002674000-memory.dmp

Filesize
1.4MB

Download