danabot | f93628943add0691bc80e1db3cee114133ef839e820f50448b3082c46113cb6d

Resubmissions

03-05-2022 12:57

220503-p7a1eaheaj 8

21-04-2022 08:13

220421-j4eljaacfn 8

Analysis

max time kernel
178s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-05-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6a68f651c30d7c6c914114fa14aa0b.exe
Size

967KB
MD5

ae6a68f651c30d7c6c914114fa14aa0b
SHA1

21eeaeb2061461f7bdd20f02542c18cc4ea75baa
SHA256

f93628943add0691bc80e1db3cee114133ef839e820f50448b3082c46113cb6d
SHA512

e06c62be260746076290d404f90e797d340db014b250d1c78bf05fc33fd469e051d9092df59f7668673cdd7a6a7df47ab5977b241b66da3ad20528c6266ddef9

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

Attributes

type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 6 IoCs

flow	pid	Process
12	4012	rundll32.exe
17	4012	rundll32.exe
20	4012	rundll32.exe
25	4012	rundll32.exe
28	4012	rundll32.exe
31	4012	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4588	2564	WerFault.exe	79

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82
PID 2564 wrote to memory of 4012	2564	ae6a68f651c30d7c6c914114fa14aa0b.exe	82

C:\Users\Admin\AppData\Local\Temp\ae6a68f651c30d7c6c914114fa14aa0b.exe
"C:\Users\Admin\AppData\Local\Temp\ae6a68f651c30d7c6c914114fa14aa0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 420
  2⤵
  - Program crash
  PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2564 -ip 2564
1⤵
PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-130-0x000000000231F000-0x00000000023E4000-memory.dmp

Filesize
788KB

Download
memory/2564-131-0x0000000002490000-0x0000000002675000-memory.dmp

Filesize
1.9MB

Download
memory/2564-132-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/4012-134-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/4012-135-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/4012-136-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4012-137-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/4012-138-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/4012-139-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/4012-140-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4012-141-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/4012-142-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/4012-144-0x0000000000440000-0x0000000000443000-memory.dmp

Filesize
12KB

Download
memory/4012-143-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/4012-145-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads