danabot | 2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1

General

Target

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe
Size

890KB
MD5

7c0cae1c4eb0e3633d5b4e7fe2be525f
SHA1

00b865b9d5178d72ecc03c0462800a4b8e7e93ef
SHA256

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1
SHA512

8a0d2db90ed27fb3eb1747c6d9d4505d64eb67a6f3db9ab25756b22f86e08407a6d28a60cea8c49aeb3e1e5178acc4f0d899a2a1582a88b7ccc9b9c2a9f6d55f

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

224.233.78.25

56.240.227.37

96.59.105.177

253.78.52.99

149.154.159.213

89.217.209.119

195.123.220.45

177.223.102.4

6.164.247.12

250.48.199.39

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

1 1608 rundll32.exe
3 1608 rundll32.exe
4 1608 rundll32.exe
5 1608 rundll32.exe
6 1608 rundll32.exe
9 1608 rundll32.exe
10 1608 rundll32.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

1328 regsvr32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1328 regsvr32.exe
1608 rundll32.exe
1608 rundll32.exe
1608 rundll32.exe
1608 rundll32.exe

flow	pid	process
1	1608	rundll32.exe
3	1608	rundll32.exe
4	1608	rundll32.exe
5	1608	rundll32.exe
6	1608	rundll32.exe
9	1608	rundll32.exe
10	1608	rundll32.exe

pid	process
1328	regsvr32.exe

pid	process
1328	regsvr32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exeregsvr32.exe

description	pid	process	target process
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1156 wrote to memory of 1328	1156	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1608	1328	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe
"C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\2AA813~1.EXE@1156
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
1e837080f9431af2dc190ede19a2e2fe

SHA1
1771f09e72a0e55ebbe4c28bd1881e9fde340da2

SHA256
8f74d7c57af38686de3a816c65b6eedec7aa5f5979ffc9bc0ce3316e7e1ba680

SHA512
b05206a59f8a183af11e1071ed7805bee20af01dd490ef58fa9e9938de0cb4ed49191911a1ce1b58a9ded9cd132781184db08e5a85708074db0e92767d03a9d7

Download Submit
memory/1328-54-0x0000000000000000-mapping.dmp

Download
memory/1328-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1328-58-0x0000000000210000-0x00000000002C4000-memory.dmp

Filesize
720KB

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download
memory/1608-65-0x0000000000250000-0x0000000000304000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing