danabot | a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06

General

Target

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe
Size

2.2MB
MD5

73c81633573ad5f1d30f16bbace78256
SHA1

075c68a77646235b5e3972207fe8766a13b47f9c
SHA256

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06
SHA512

0524aa6a83f67d3478ea46cf2d9f27878d1fa0377408eb045c1726c3ade60050e5d37390f8dbad8b898290b6298523681d6d63699116f40bddf1cdb0d6cffd93

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

2 1684 rundll32.exe
3 1684 rundll32.exe
4 1684 rundll32.exe
5 1684 rundll32.exe
8 1684 rundll32.exe
11 1684 rundll32.exe
12 1684 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1820 regsvr32.exe
1684 rundll32.exe
1684 rundll32.exe
1684 rundll32.exe
1684 rundll32.exe

flow	pid	process
2	1684	rundll32.exe
3	1684	rundll32.exe
4	1684	rundll32.exe
5	1684	rundll32.exe
8	1684	rundll32.exe
11	1684	rundll32.exe
12	1684	rundll32.exe

pid	process
1820	regsvr32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exeregsvr32.exe

description	pid	process	target process
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1504 wrote to memory of 1820	1504	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe
PID 1820 wrote to memory of 1684	1820	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe
"C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\A85658~1.EXE@1504
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
memory/1504-57-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/1504-54-0x0000000002270000-0x0000000002491000-memory.dmp

Filesize
2.1MB

Download
memory/1504-56-0x00000000024A0000-0x00000000026D6000-memory.dmp

Filesize
2.2MB

Download
memory/1504-55-0x0000000002270000-0x0000000002491000-memory.dmp

Filesize
2.1MB

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1684-69-0x00000000009B0000-0x0000000000BC6000-memory.dmp

Filesize
2.1MB

Download
memory/1820-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1820-62-0x0000000000C40000-0x0000000000E56000-memory.dmp

Filesize
2.1MB

Download
memory/1820-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing