Overview

overview

10

Static

static

10

b0ea572735...3d.dll

windows7_x64

10

b0ea572735...3d.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    178s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll

  • Size

    671KB

  • MD5

    109e2f5c7ce023d6b0eb6b4f049eb547

  • SHA1

    a7a9f41567bff15b0622930da7cbe5d33fb8f2d8

  • SHA256

    b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d

  • SHA512

    13cb3ed3a6648857e6a1320021e45be33bbdd3119ab6bde1a53d93791ffa8c357f98614f74f4f365144b956d625b828c0aaff7fc9c8fdbb4d2d088aeeca69f52

Score
10/10
danabotbankertrojan

Malware Config

Extracted

Family

danabot

C2

224.233.78.25

56.240.227.37

96.59.105.177

253.78.52.99

149.154.159.213

89.217.209.119

195.123.220.45

177.223.102.4

6.164.247.12

250.48.199.39
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 7 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 372
      2⤵
      • Program crash
      PID:1176
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,f0
      2⤵
      • Blocklisted process makes network request
      PID:1164
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1164-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1176-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1600-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1600-55-0x0000000076721000-0x0000000076723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1600-56-0x0000000000240000-0x00000000002F4000-memory.dmp
    Filesize

    720KB

    Download