Overview

overview

10

Static

static

60DB5DE363...39.exe

windows7_x64

10

60DB5DE363...39.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    12-04-2022 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe

  • Size

    1.4MB

  • MD5

    1323af5b087a2941e31817a98c035269

  • SHA1

    65e101144578c32a03614039e2e6b3c04900c98a

  • SHA256

    60db5de363585fce685056cde11796f4cadc79c861e39475ebd9bb2b9c6e8117

  • SHA512

    2b7172a93ebaf6cce4bcde08038dc8666c57d580724dc32e3e586483e345499ced915a76ddd435c7a3be858ea77a314033a30bf1bd6e57942cdab877290e81c1

Score
10/10
danabot4bankersuricatatrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.236.161.79:443

192.236.146.39:443

37.220.31.27:443
Attributes
  • embedded_hash

    7FF0AA10AB3BA961670646D23EAE3911

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • suricata: ET MALWARE Danabot Key Exchange Request

    suricata: ET MALWARE Danabot Key Exchange Request

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe
    "C:\Users\Admin\AppData\Local\Temp\60DB5DE363585FCE685056CDE11796F4CADC79C861E39.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL,s C:\Users\Admin\AppData\Local\Temp\60DB5D~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\60DB5D~1.DLL
    Filesize

    1.3MB

    MD5

    5cbb4f75679e03a1280ec808bbeb3e66

    SHA1

    f49d013ed957ce0a4507380d9a79ed6773aa376c

    SHA256

    4c4f1ea98075224f98d3b4e57a8f20874e0787b5c19813ca36b4b8f088531bf7

    SHA512

    8f30345c37389cd0b6bad8b4b6814e439d29b696e3cdd42674797c80992a6506a2163e809bf581dbc9966b209231c1feae8d2b12541fd682a31dda2db4438d6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\60DB5D~1.EXE.dll
    Filesize

    1.3MB

    MD5

    5cbb4f75679e03a1280ec808bbeb3e66

    SHA1

    f49d013ed957ce0a4507380d9a79ed6773aa376c

    SHA256

    4c4f1ea98075224f98d3b4e57a8f20874e0787b5c19813ca36b4b8f088531bf7

    SHA512

    8f30345c37389cd0b6bad8b4b6814e439d29b696e3cdd42674797c80992a6506a2163e809bf581dbc9966b209231c1feae8d2b12541fd682a31dda2db4438d6e

    Download Submit
  • memory/1852-127-0x0000000000000000-mapping.dmp
    Download
  • memory/2844-124-0x0000000001051000-0x0000000001194000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-125-0x00000000011E0000-0x00000000013CA000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2844-126-0x0000000000400000-0x0000000000ADD000-memory.dmp
    Filesize

    6.9MB

    Download