danabot | 60db5de363585fce685056cde11796f4cadc79c861e39475ebd9bb2b9c6e8117

General

Target

60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe
Size

1.4MB
MD5

1323af5b087a2941e31817a98c035269
SHA1

65e101144578c32a03614039e2e6b3c04900c98a
SHA256

60db5de363585fce685056cde11796f4cadc79c861e39475ebd9bb2b9c6e8117
SHA512

2b7172a93ebaf6cce4bcde08038dc8666c57d580724dc32e3e586483e345499ced915a76ddd435c7a3be858ea77a314033a30bf1bd6e57942cdab877290e81c1

Score

10^/10

danabot 4 banker suricata trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.236.161.79:443

192.236.146.39:443

37.220.31.27:443

Attributes

embedded_hash
7FF0AA10AB3BA961670646D23EAE3911
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1896 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1896 rundll32.exe
1896 rundll32.exe
1896 rundll32.exe
1896 rundll32.exe

flow	pid	process
2	1896	rundll32.exe

pid	process
1896	rundll32.exe
1896	rundll32.exe
1896	rundll32.exe
1896	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe

description	pid	process	target process
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe
PID 2036 wrote to memory of 1896	2036	60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe
"C:\Users\Admin\AppData\Local\Temp\60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL,s C:\Users\Admin\AppData\Local\Temp\60DB5D~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
Filesize
1.3MB

MD5
9db97ccdda50d562611aedef39195fc6

SHA1
96477389111bb52de23bd96d06aa3160b0603934

SHA256
f216f82d74a29e6f6612f56998311712daa4d61eefb6840f059e8a31cb69ce3c

SHA512
e31412501d84057e6488303fdf58702b6c2103d9007fd99468687120d907dffe76957866487ba069461e8178c5c2f538ad37642c958ccd324aedf1501e926a11

Download Submit
\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
Filesize
1.3MB

MD5
9db97ccdda50d562611aedef39195fc6

SHA1
96477389111bb52de23bd96d06aa3160b0603934

SHA256
f216f82d74a29e6f6612f56998311712daa4d61eefb6840f059e8a31cb69ce3c

SHA512
e31412501d84057e6488303fdf58702b6c2103d9007fd99468687120d907dffe76957866487ba069461e8178c5c2f538ad37642c958ccd324aedf1501e926a11

Download Submit
\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
Filesize
1.3MB

MD5
9db97ccdda50d562611aedef39195fc6

SHA1
96477389111bb52de23bd96d06aa3160b0603934

SHA256
f216f82d74a29e6f6612f56998311712daa4d61eefb6840f059e8a31cb69ce3c

SHA512
e31412501d84057e6488303fdf58702b6c2103d9007fd99468687120d907dffe76957866487ba069461e8178c5c2f538ad37642c958ccd324aedf1501e926a11

Download Submit
\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
Filesize
1.3MB

MD5
9db97ccdda50d562611aedef39195fc6

SHA1
96477389111bb52de23bd96d06aa3160b0603934

SHA256
f216f82d74a29e6f6612f56998311712daa4d61eefb6840f059e8a31cb69ce3c

SHA512
e31412501d84057e6488303fdf58702b6c2103d9007fd99468687120d907dffe76957866487ba069461e8178c5c2f538ad37642c958ccd324aedf1501e926a11

Download Submit
\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
Filesize
1.3MB

MD5
9db97ccdda50d562611aedef39195fc6

SHA1
96477389111bb52de23bd96d06aa3160b0603934

SHA256
f216f82d74a29e6f6612f56998311712daa4d61eefb6840f059e8a31cb69ce3c

SHA512
e31412501d84057e6488303fdf58702b6c2103d9007fd99468687120d907dffe76957866487ba069461e8178c5c2f538ad37642c958ccd324aedf1501e926a11

Download Submit
memory/1896-59-0x0000000000000000-mapping.dmp

Download
memory/1896-66-0x00000000006C0000-0x000000000081C000-memory.dmp

Filesize
1.4MB

Download
memory/2036-54-0x0000000000AE0000-0x0000000000C23000-memory.dmp

Filesize
1.3MB

Download
memory/2036-55-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/2036-56-0x0000000000AE0000-0x0000000000C23000-memory.dmp

Filesize
1.3MB

Download
memory/2036-57-0x0000000001150000-0x000000000133A000-memory.dmp

Filesize
1.9MB

Download
memory/2036-58-0x0000000000400000-0x0000000000ADD000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing