danabot | 1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5

Analysis

Target

1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
Size

642KB
MD5

9260c247e415b9120e17ac270d5f4f79
SHA1

6b7ade23f53d64be0a13d843449c3ea62d65d83b
SHA256

1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5
SHA512

678a8f39370199d18ab6d3a04e347e4c90650e786f3670515d116ccff61f111690be978d3e7cecb4406df377507f98444a710c981b89de6a558f7e6101f4f3b3

Score

10^/10

Family

danabot

110.26.68.209

16.78.162.184

94.10.25.120

185.82.178.8

21.221.79.29

149.154.159.213

137.20.10.198

48.204.112.181

151.236.14.84

224.150.141.17

rsa_pubkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

12 2884 rundll32.exe
26 2884 rundll32.exe
39 2884 rundll32.exe
48 2884 rundll32.exe
58 2884 rundll32.exe
62 2884 rundll32.exe
64 2884 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5048 3800 WerFault.exe rundll32.exe

pid	pid_target	process	target process
5048	3800	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3032 wrote to memory of 3800	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 3800	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 3800	3032	rundll32.exe	rundll32.exe
PID 3800 wrote to memory of 2884	3800	rundll32.exe	rundll32.exe
PID 3800 wrote to memory of 2884	3800	rundll32.exe	rundll32.exe
PID 3800 wrote to memory of 2884	3800	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,f0
3⤵
- Blocklisted process makes network request
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 816
3⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 3800
1⤵
PID:1996

memory/2884-132-0x0000000000000000-mapping.dmp

Download
memory/3800-130-0x0000000000000000-mapping.dmp

Download
memory/3800-131-0x0000000000BA0000-0x0000000000C4D000-memory.dmp

Filesize
692KB

Download