danabot | 90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97

General

Target

90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe
Size

2.6MB
MD5

95e5ade6dc73995c3aead518331fc6d1
SHA1

99f3f68704a6c2c5e5cdda3eeff3122fc78a2ae4
SHA256

90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97
SHA512

8d56b8152740684f508629b644cc133a99e84e24cafa00b1a81ab91f6cbcba587022cca3323ce7739b65284c38c534822b974ab0330ab50d9a682b509e5942e3

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

1 876 rundll32.exe
2 876 rundll32.exe
4 876 rundll32.exe
5 876 rundll32.exe
8 876 rundll32.exe
9 876 rundll32.exe
12 876 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2044 regsvr32.exe
876 rundll32.exe
876 rundll32.exe
876 rundll32.exe
876 rundll32.exe

flow	pid	process
1	876	rundll32.exe
2	876	rundll32.exe
4	876	rundll32.exe
5	876	rundll32.exe
8	876	rundll32.exe
9	876	rundll32.exe
12	876	rundll32.exe

pid	process
2044	regsvr32.exe
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exeregsvr32.exe

description	pid	process	target process
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 1956 wrote to memory of 2044	1956	90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe	regsvr32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe
PID 2044 wrote to memory of 876	2044	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe
"C:\Users\Admin\AppData\Local\Temp\90ee20a62bdeebc3dd489ed275e9b8da56638bf19e44bed8c43e7e4bc9e12f97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\90EE20~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\90EE20~1.EXE@1956
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\90EE20~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
\Users\Admin\AppData\Local\Temp\90EE20~1.DLL
Filesize
2.4MB

MD5
9cb7b0d8e817636deed7b195e69f6156

SHA1
3a68463ef2313fa9580ff8048900ffcafb604114

SHA256
9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1

SHA512
c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

Download Submit
memory/876-63-0x0000000000000000-mapping.dmp

Download
memory/876-69-0x0000000002230000-0x000000000249B000-memory.dmp

Filesize
2.4MB

Download
memory/1956-61-0x0000000000400000-0x00000000026E5000-memory.dmp

Filesize
34.9MB

Download
memory/1956-54-0x0000000004050000-0x00000000042C8000-memory.dmp

Filesize
2.5MB

Download
memory/1956-56-0x00000000042D0000-0x000000000455D000-memory.dmp

Filesize
2.6MB

Download
memory/1956-55-0x0000000004050000-0x00000000042C8000-memory.dmp

Filesize
2.5MB

Download
memory/2044-62-0x0000000001ED0000-0x000000000213B000-memory.dmp

Filesize
2.4MB

Download
memory/2044-58-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download
memory/2044-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing