danabot | ea315e9e65af9d1d95ac0636abde389107bb131f99e9eeac2dd16821be1ba888

General

Target

341d69cf4f5d9be493ebe9913f4150cf.exe
Size

1.1MB
MD5

341d69cf4f5d9be493ebe9913f4150cf
SHA1

b043c610bf6b1fea68701910870d439501d8f832
SHA256

ea315e9e65af9d1d95ac0636abde389107bb131f99e9eeac2dd16821be1ba888
SHA512

50534e155760d2dde64e0737f90b63d35c1b0e3136007476d9e62b8eaf0bfb42225a57dc340c12e45a7346cdf56a857e403b4230d561b32991f1155f4d8294ab

Score

10^/10

danabot 7 banker trojan

Malware Config

Extracted

Family

danabot

Attributes

type
loader

Extracted

Family

danabot

Botnet

7

C2

192.236.176.108:443

23.254.209.218:443

Attributes

embedded_hash
F05AD7842A54466C7E7FBCE36DCCAB8C
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 1688 rundll32.exe
4 1688 rundll32.exe
6 1688 rundll32.exe
7 1688 rundll32.exe
8 1688 rundll32.exe

flow	pid	process
2	1688	rundll32.exe
4	1688	rundll32.exe
6	1688	rundll32.exe
7	1688	rundll32.exe
8	1688	rundll32.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

341d69cf4f5d9be493ebe9913f4150cf.exe

description	pid	process	target process
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe
PID 1884 wrote to memory of 1688	1884	341d69cf4f5d9be493ebe9913f4150cf.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\341d69cf4f5d9be493ebe9913f4150cf.exe
"C:\Users\Admin\AppData\Local\Temp\341d69cf4f5d9be493ebe9913f4150cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-123-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1688-133-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/1688-117-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1688-118-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1688-58-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1688-60-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1688-108-0x0000000000000000-mapping.dmp

Download
memory/1688-131-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/1688-112-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1688-111-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1688-114-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1688-113-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1688-116-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1688-115-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/1688-132-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/1688-120-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1688-129-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1688-119-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1688-122-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1688-121-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/1688-124-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1688-130-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1688-125-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/1688-126-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/1688-127-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1688-128-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1884-54-0x0000000000220000-0x00000000002FD000-memory.dmp

Filesize
884KB

Download
memory/1884-55-0x0000000000220000-0x00000000002FD000-memory.dmp

Filesize
884KB

Download
memory/1884-56-0x0000000002040000-0x0000000002265000-memory.dmp

Filesize
2.1MB

Download
memory/1884-110-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1884-57-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads