danabot | 40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7

General

Target

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe
Size

2.4MB
MD5

8bb98c6ebdc6c94ee1d4bda43c027591
SHA1

457da876e3c9d70c1588c6d3717da6ec9288dd91
SHA256

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7
SHA512

44bfcc279b76972e17f5decf0fbce8cf18686aaae31eba36c296f0c0ca5fbc2c8974e22c219951cd98b0ad8a21635694344370ed8b7bf173859f71d9ba50a24a

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 5 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
38	4552	rundll32.exe
46	4552	rundll32.exe
49	4552	rundll32.exe
60	4552	rundll32.exe
61	4552	rundll32.exe
62	4552	rundll32.exe
63	4552	rundll32.exe
64	4552	rundll32.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3200 regsvr32.exe
3200 regsvr32.exe
4552 rundll32.exe
4552 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5008 4468 WerFault.exe 40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe

pid	process
3200	regsvr32.exe
3200	regsvr32.exe
4552	rundll32.exe
4552	rundll32.exe

pid	pid_target	process	target process
5008	4468	WerFault.exe	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exeregsvr32.exe

description	pid	process	target process
PID 4468 wrote to memory of 3200	4468	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 4468 wrote to memory of 3200	4468	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 4468 wrote to memory of 3200	4468	40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe	regsvr32.exe
PID 3200 wrote to memory of 4552	3200	regsvr32.exe	rundll32.exe
PID 3200 wrote to memory of 4552	3200	regsvr32.exe	rundll32.exe
PID 3200 wrote to memory of 4552	3200	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe
"C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\40A498~1.EXE@4468
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 500
2⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4468 -ip 4468
1⤵
PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40A498~1.DLL
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a498c4ed3c62f7b42141338c5ac7755d12a0650a49832f2f9b4c57bf47c7c7.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
memory/3200-132-0x0000000000000000-mapping.dmp

Download
memory/3200-136-0x0000000002010000-0x0000000002226000-memory.dmp

Filesize
2.1MB

Download
memory/4468-130-0x00000000015E8000-0x0000000001809000-memory.dmp

Filesize
2.1MB

Download
memory/4468-131-0x0000000001810000-0x0000000001A46000-memory.dmp

Filesize
2.2MB

Download
memory/4468-141-0x0000000000400000-0x0000000000E46000-memory.dmp

Filesize
10.3MB

Download
memory/4552-137-0x0000000000000000-mapping.dmp

Download
memory/4552-140-0x0000000002030000-0x0000000002246000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads