danabot | 27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d

General

Target

27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe
Size

667KB
MD5

65e534d2434340f6c491dafbf6517d6c
SHA1

e4807e55870dedc767eae94ba435eaf0a69bd489
SHA256

27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d
SHA512

ed4d2404cdd32bd3b746668a9790370972bf40c0cad5b3bb0ad34989c30e88bfeddf031afff004ef766dbe74a80da7f1d87b9cf70e1e5ae31186300411f825af

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.56.192

5.61.58.130

2.56.212.4

32.99.84.84

152.195.32.21

49.126.36.10

93.165.23.189

22.55.172.123

113.104.135.195

2.56.213.39

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\27FA51~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.dll	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
5	1872	rundll32.exe
26	1872	rundll32.exe
34	1872	rundll32.exe
37	1872	rundll32.exe
38	1872	rundll32.exe
40	1872	rundll32.exe
41	1872	rundll32.exe
42	1872	rundll32.exe
43	1872	rundll32.exe
44	1872	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

5028 regsvr32.exe
1872 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 396 WerFault.exe 27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe

pid	process
5028	regsvr32.exe
1872	rundll32.exe

pid	pid_target	process	target process
1512	396	WerFault.exe	27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exeregsvr32.exe

description	pid	process	target process
PID 396 wrote to memory of 5028	396	27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe	regsvr32.exe
PID 396 wrote to memory of 5028	396	27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe	regsvr32.exe
PID 396 wrote to memory of 5028	396	27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe	regsvr32.exe
PID 5028 wrote to memory of 1872	5028	regsvr32.exe	rundll32.exe
PID 5028 wrote to memory of 1872	5028	regsvr32.exe	rundll32.exe
PID 5028 wrote to memory of 1872	5028	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe
"C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\27FA51~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\27FA51~1.EXE@396
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\27FA51~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 460
2⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 396 -ip 396
1⤵
PID:4996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27FA51~1.DLL
Filesize
354KB

MD5
9f057a9101d37f71d528217b0d86b83e

SHA1
5253b75a755f67522d740d91007f0d778ebfed7d

SHA256
e904eb1fc2d61240b95b583bcaa2eb11784a053d3a482d1b2214f65da6b82e82

SHA512
7216f396bccab2dbb816c586d8338ef075e7d0e69cfba44d2a180f3c404cf955ec0c331000af37e0191e444383f09b051ddaa399a5f907c9a806759efa6a0df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.dll
Filesize
354KB

MD5
9f057a9101d37f71d528217b0d86b83e

SHA1
5253b75a755f67522d740d91007f0d778ebfed7d

SHA256
e904eb1fc2d61240b95b583bcaa2eb11784a053d3a482d1b2214f65da6b82e82

SHA512
7216f396bccab2dbb816c586d8338ef075e7d0e69cfba44d2a180f3c404cf955ec0c331000af37e0191e444383f09b051ddaa399a5f907c9a806759efa6a0df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d.dll
Filesize
354KB

MD5
9f057a9101d37f71d528217b0d86b83e

SHA1
5253b75a755f67522d740d91007f0d778ebfed7d

SHA256
e904eb1fc2d61240b95b583bcaa2eb11784a053d3a482d1b2214f65da6b82e82

SHA512
7216f396bccab2dbb816c586d8338ef075e7d0e69cfba44d2a180f3c404cf955ec0c331000af37e0191e444383f09b051ddaa399a5f907c9a806759efa6a0df7

Download Submit
memory/396-130-0x00000000007AD000-0x000000000081C000-memory.dmp

Filesize
444KB

Download
memory/396-131-0x0000000002330000-0x00000000023B4000-memory.dmp

Filesize
528KB

Download
memory/396-132-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/396-138-0x00000000007AD000-0x000000000081C000-memory.dmp

Filesize
444KB

Download
memory/396-139-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1872-136-0x0000000000000000-mapping.dmp

Download
memory/5028-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads