danabot | f93628943add0691bc80e1db3cee114133ef839e820f50448b3082c46113cb6d

Resubmissions

03-05-2022 12:57

220503-p7a1eaheaj 8

21-04-2022 08:13

220421-j4eljaacfn 8

Analysis

max time kernel
139s
max time network
91s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-05-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6a68f651c30d7c6c914114fa14aa0b.exe
Size

967KB
MD5

ae6a68f651c30d7c6c914114fa14aa0b
SHA1

21eeaeb2061461f7bdd20f02542c18cc4ea75baa
SHA256

f93628943add0691bc80e1db3cee114133ef839e820f50448b3082c46113cb6d
SHA512

e06c62be260746076290d404f90e797d340db014b250d1c78bf05fc33fd469e051d9092df59f7668673cdd7a6a7df47ab5977b241b66da3ad20528c6266ddef9

Score

10^/10

danabot 7 banker trojan

Malware Config

Extracted

Family

danabot

Attributes

type
loader

Extracted

Family

danabot

Botnet

192.236.176.108:443

23.254.209.218:443

Attributes

embedded_hash
FF16DCD8834CB7E04B2EEB3200331F40
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 840 rundll32.exe
4 840 rundll32.exe
5 840 rundll32.exe
7 840 rundll32.exe
8 840 rundll32.exe

flow	pid	process
2	840	rundll32.exe
4	840	rundll32.exe
5	840	rundll32.exe
7	840	rundll32.exe
8	840	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ae6a68f651c30d7c6c914114fa14aa0b.exe

description	pid	process	target process
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe
PID 2036 wrote to memory of 840	2036	ae6a68f651c30d7c6c914114fa14aa0b.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ae6a68f651c30d7c6c914114fa14aa0b.exe
"C:\Users\Admin\AppData\Local\Temp\ae6a68f651c30d7c6c914114fa14aa0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-58-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/840-60-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/840-86-0x0000000000000000-mapping.dmp

Download
memory/840-89-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/840-90-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/840-91-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/840-92-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/2036-54-0x0000000001E90000-0x0000000001F55000-memory.dmp

Filesize
788KB

Download
memory/2036-55-0x0000000001E90000-0x0000000001F55000-memory.dmp

Filesize
788KB

Download
memory/2036-56-0x0000000001F60000-0x0000000002145000-memory.dmp

Filesize
1.9MB

Download
memory/2036-57-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2036-88-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download