danabot | cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4

Resubmissions

01-08-2022 11:35

04-04-2022 16:05

Target

cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll
Size

1.2MB
MD5

01093c63363ec6be6dbceaf560907f7e
SHA1

0330c617d7b1a66eb9912c775a23dd1efc0f125a
SHA256

cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4
SHA512

67c62fa97096051e72869208676b9c0a97026d02095212866b9a04bba42acc3f98d970fed7c76266d2c6d73885d2a954cdd5747cd109dd3cfbc3692cc3168a57

Score

10^/10

Family

danabot

Botnet

66.85.185.120:443

37.220.31.27:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1360-56-0x0000000000630000-0x0000000000771000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

1 1360 rundll32.exe

flow	pid	process
1	1360	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe
PID 340 wrote to memory of 1360	340	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll,#1
2⤵
- Blocklisted process makes network request
PID:1360

memory/1360-54-0x0000000000000000-mapping.dmp

Download
memory/1360-55-0x0000000075461000-0x0000000075463000-memory.dmp

Filesize
8KB

Download
memory/1360-56-0x0000000000630000-0x0000000000771000-memory.dmp

Filesize
1.3MB

Download