danabot | 2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1

General

Target

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe
Size

890KB
MD5

7c0cae1c4eb0e3633d5b4e7fe2be525f
SHA1

00b865b9d5178d72ecc03c0462800a4b8e7e93ef
SHA256

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1
SHA512

8a0d2db90ed27fb3eb1747c6d9d4505d64eb67a6f3db9ab25756b22f86e08407a6d28a60cea8c49aeb3e1e5178acc4f0d899a2a1582a88b7ccc9b9c2a9f6d55f

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

224.233.78.25

56.240.227.37

96.59.105.177

253.78.52.99

149.154.159.213

89.217.209.119

195.123.220.45

177.223.102.4

6.164.247.12

250.48.199.39

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

7 5000 rundll32.exe
25 5000 rundll32.exe
38 5000 rundll32.exe
39 5000 rundll32.exe
40 5000 rundll32.exe
42 5000 rundll32.exe
43 5000 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4192 regsvr32.exe
5000 rundll32.exe

flow	pid	process
7	5000	rundll32.exe
25	5000	rundll32.exe
38	5000	rundll32.exe
39	5000	rundll32.exe
40	5000	rundll32.exe
42	5000	rundll32.exe
43	5000	rundll32.exe

pid	process
4192	regsvr32.exe
5000	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exeregsvr32.exe

description	pid	process	target process
PID 1496 wrote to memory of 4192	1496	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1496 wrote to memory of 4192	1496	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 1496 wrote to memory of 4192	1496	2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe	regsvr32.exe
PID 4192 wrote to memory of 5000	4192	regsvr32.exe	rundll32.exe
PID 4192 wrote to memory of 5000	4192	regsvr32.exe	rundll32.exe
PID 4192 wrote to memory of 5000	4192	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe
"C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\2AA813~1.EXE@1496
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AA813~1.DLL
Filesize
671KB

MD5
32ef4e43303babdf44b160d204932be0

SHA1
b0813e28afac320d333fdb6e51ed7bef1aeda644

SHA256
2cd67f4cb19363a56b9b0e89437e5683bcffdd32e5ccd807c32fcf013a560d1f

SHA512
84a84a7bb0ef4c3db35a9ca958f7888bb74cd01a2406e6738ff2f3846aa0995d3e0065bd977526c8dafbb718982254badecd84d6fa9e9289ca6a30cbc78f5e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.dll
Filesize
671KB

MD5
32ef4e43303babdf44b160d204932be0

SHA1
b0813e28afac320d333fdb6e51ed7bef1aeda644

SHA256
2cd67f4cb19363a56b9b0e89437e5683bcffdd32e5ccd807c32fcf013a560d1f

SHA512
84a84a7bb0ef4c3db35a9ca958f7888bb74cd01a2406e6738ff2f3846aa0995d3e0065bd977526c8dafbb718982254badecd84d6fa9e9289ca6a30cbc78f5e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aa813e888606a1acab6e89ea886c993d448f1ae97a0f46fb8cc670decc850f1.dll
Filesize
671KB

MD5
32ef4e43303babdf44b160d204932be0

SHA1
b0813e28afac320d333fdb6e51ed7bef1aeda644

SHA256
2cd67f4cb19363a56b9b0e89437e5683bcffdd32e5ccd807c32fcf013a560d1f

SHA512
84a84a7bb0ef4c3db35a9ca958f7888bb74cd01a2406e6738ff2f3846aa0995d3e0065bd977526c8dafbb718982254badecd84d6fa9e9289ca6a30cbc78f5e06

Download Submit
memory/4192-130-0x0000000000000000-mapping.dmp

Download
memory/5000-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing