danabot | 1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5

General

Target

1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
Size

642KB
MD5

9260c247e415b9120e17ac270d5f4f79
SHA1

6b7ade23f53d64be0a13d843449c3ea62d65d83b
SHA256

1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5
SHA512

678a8f39370199d18ab6d3a04e347e4c90650e786f3670515d116ccff61f111690be978d3e7cecb4406df377507f98444a710c981b89de6a558f7e6101f4f3b3

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

110.26.68.209

16.78.162.184

94.10.25.120

185.82.178.8

21.221.79.29

149.154.159.213

137.20.10.198

48.204.112.181

151.236.14.84

224.150.141.17

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
1	1664	rundll32.exe
2	1664	rundll32.exe
4	1664	rundll32.exe
5	1664	rundll32.exe
8	1664	rundll32.exe
9	1664	rundll32.exe
12	1664	rundll32.exe
13	1664	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

996 908 WerFault.exe rundll32.exe

pid	pid_target	process	target process
996	908	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 908	1800	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 1664	908	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 996	908	rundll32.exe	WerFault.exe
PID 908 wrote to memory of 996	908	rundll32.exe	WerFault.exe
PID 908 wrote to memory of 996	908	rundll32.exe	WerFault.exe
PID 908 wrote to memory of 996	908	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,f0
3⤵
- Blocklisted process makes network request
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 372
3⤵
- Program crash
PID:996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-54-0x0000000000000000-mapping.dmp

Download
memory/908-55-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000260000-0x000000000030D000-memory.dmp

Filesize
692KB

Download
memory/996-60-0x0000000000000000-mapping.dmp

Download
memory/1664-57-0x0000000000000000-mapping.dmp

Download
memory/1664-59-0x00000000002E0000-0x000000000038D000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing