danabot | a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06

General

Target

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe
Size

2.2MB
MD5

73c81633573ad5f1d30f16bbace78256
SHA1

075c68a77646235b5e3972207fe8766a13b47f9c
SHA256

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06
SHA512

0524aa6a83f67d3478ea46cf2d9f27878d1fa0377408eb045c1726c3ade60050e5d37390f8dbad8b898290b6298523681d6d63699116f40bddf1cdb0d6cffd93

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
30	4696	rundll32.exe
43	4696	rundll32.exe
58	4696	rundll32.exe
72	4696	rundll32.exe
73	4696	rundll32.exe
82	4696	rundll32.exe
87	4696	rundll32.exe
90	4696	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1908 regsvr32.exe
4696 rundll32.exe
4696 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3804 1888 WerFault.exe a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe

pid	process
1908	regsvr32.exe
4696	rundll32.exe
4696	rundll32.exe

pid	pid_target	process	target process
3804	1888	WerFault.exe	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exeregsvr32.exe

description	pid	process	target process
PID 1888 wrote to memory of 1908	1888	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1888 wrote to memory of 1908	1888	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1888 wrote to memory of 1908	1888	a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe	regsvr32.exe
PID 1908 wrote to memory of 4696	1908	regsvr32.exe	rundll32.exe
PID 1908 wrote to memory of 4696	1908	regsvr32.exe	rundll32.exe
PID 1908 wrote to memory of 4696	1908	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe
"C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\A85658~1.EXE@1888
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 488
2⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1888 -ip 1888
1⤵
PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A85658~1.DLL
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a856585c094aebd0869ba130ac9a3e5eea6768e2da1086c733abef57c5a4ec06.dll
Filesize
2.0MB

MD5
f44d1c7820bb02b486871ba9eab2f226

SHA1
d040d7b886002f37924536425b43091f21a3844b

SHA256
24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

SHA512
b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

Download Submit
memory/1888-130-0x0000000002697000-0x00000000028B8000-memory.dmp

Filesize
2.1MB

Download
memory/1888-131-0x00000000028C0000-0x0000000002AF6000-memory.dmp

Filesize
2.2MB

Download
memory/1888-132-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/1908-133-0x0000000000000000-mapping.dmp

Download
memory/4696-136-0x0000000000000000-mapping.dmp

Download
memory/4696-139-0x0000000001EE0000-0x00000000020F6000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads