danabot | 40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7

General

Target

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe
Size

2.4MB
MD5

8bb98c6ebdc6c94ee1d4bda43c027591
SHA1

457da876e3c9d70c1588c6d3717da6ec9288dd91
SHA256

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7
SHA512

44bfcc279b76972e17f5decf0fbce8cf18686aaae31eba36c296f0c0ca5fbc2c8974e22c219951cd98b0ad8a21635694344370ed8b7bf173859f71d9ba50a24a

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

2 1064 rundll32.exe
3 1064 rundll32.exe
4 1064 rundll32.exe
5 1064 rundll32.exe
6 1064 rundll32.exe
7 1064 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1176 regsvr32.exe
1064 rundll32.exe
1064 rundll32.exe
1064 rundll32.exe
1064 rundll32.exe

flow	pid	process
2	1064	rundll32.exe
3	1064	rundll32.exe
4	1064	rundll32.exe
5	1064	rundll32.exe
6	1064	rundll32.exe
7	1064	rundll32.exe

pid	process
1176	regsvr32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exeregsvr32.exe

description	pid	process	target process
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1944 wrote to memory of 1176	1944	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe
PID 1176 wrote to memory of 1064	1176	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe
"C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\40A498~1.EXE@1944
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
memory/1064-63-0x0000000000000000-mapping.dmp

Download
memory/1064-69-0x0000000001F10000-0x0000000002126000-memory.dmp

Filesize
2.1MB

Download
memory/1176-58-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1176-62-0x0000000000A70000-0x0000000000C86000-memory.dmp

Filesize
2.1MB

Download
memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x00000000013C0000-0x00000000015E1000-memory.dmp

Filesize
2.1MB

Download
memory/1944-59-0x0000000000400000-0x0000000000E46000-memory.dmp

Filesize
10.3MB

Download
memory/1944-56-0x00000000015F0000-0x0000000001826000-memory.dmp

Filesize
2.2MB

Download
memory/1944-55-0x00000000013C0000-0x00000000015E1000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing