danabot | 911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37

General

Target

911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe
Size

2.7MB
MD5

073c564f8a966d72d4b8371ad315dfda
SHA1

9a4833fb2ee1f675c6e43e85c1af476fa280e287
SHA256

911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37
SHA512

88081fa2cc422741d839af530c9da964dcfd55cd2c7cbbbb0a7e171f9178b477d31da08ba3d6ed65761a35ad9357d2eec3bab4e12d2a8ca38d3b9bc10535eb30

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

185.227.138.47

38.68.50.140

2.56.212.64

38.68.50.172

172.241.27.92

193.34.167.159

179.43.133.50

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\911B80~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
1	1112	rundll32.exe
2	1112	rundll32.exe
4	1112	rundll32.exe
7	1112	rundll32.exe
8	1112	rundll32.exe
11	1112	rundll32.exe
12	1112	rundll32.exe
15	1112	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1896 regsvr32.exe
1112 rundll32.exe
1112 rundll32.exe
1112 rundll32.exe
1112 rundll32.exe

pid	process
1896	regsvr32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exeregsvr32.exe

description	pid	process	target process
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1664 wrote to memory of 1896	1664	911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe	regsvr32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe
PID 1896 wrote to memory of 1112	1896	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe
"C:\Users\Admin\AppData\Local\Temp\911b807a2a4c688eb144d68d04b07b51618fc9d3fd2121c2e594b1b30f5bfe37.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\911B80~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\911B80~1.EXE@1664
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\911B80~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\911B80~1.DLL
Filesize
2.4MB

MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
memory/1112-69-0x0000000001EE0000-0x000000000214B000-memory.dmp

Filesize
2.4MB

Download
memory/1112-63-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000002780000-0x00000000029F7000-memory.dmp

Filesize
2.5MB

Download
memory/1664-56-0x0000000002A00000-0x0000000002C8D000-memory.dmp

Filesize
2.6MB

Download
memory/1664-54-0x0000000002780000-0x00000000029F7000-memory.dmp

Filesize
2.5MB

Download
memory/1664-62-0x0000000000400000-0x00000000024BC000-memory.dmp

Filesize
32.7MB

Download
memory/1896-57-0x0000000000000000-mapping.dmp

Download
memory/1896-61-0x0000000001F50000-0x00000000021BB000-memory.dmp

Filesize
2.4MB

Download
memory/1896-58-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads