danabot | 223160a552cbf409f2d6dd87ddec5ee75592c53bace88f2dccc827c9e80f7f53

Resubmissions

17-06-2022 20:32

220617-zbrndsdcbm 10

21-04-2022 11:13

220421-nbs1nsafcm 8

04-03-2022 09:30

220304-lgv14sebh5 3

03-03-2022 14:25

220303-rrg5wsdbej 10

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-06-2022 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe
Size

2.3MB
MD5

daaefbd8d541235a00593af2bb5a3e27
SHA1

428bb7e395f87070d55ef7fa08fe8296d640c20f
SHA256

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513
SHA512

ed59e719c3de251c456e1a5e8805bdae302440b03e31959ec16088f0a6a725d1f374d6fa6a7b61ecd0f83e7da4e818ea83d32d48374981b94e3071c1c0a10669

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.106.122.14:443

5.9.224.217:443

192.236.161.4:443

Attributes

embedded_hash
93390DEC2D9EB6E43445264DBEDDE13F
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
2	748	rundll32.exe
4	748	rundll32.exe
6	748	rundll32.exe
7	748	rundll32.exe
8	748	rundll32.exe
9	748	rundll32.exe
10	748	rundll32.exe
11	748	rundll32.exe
12	748	rundll32.exe
13	748	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe

description	pid	process	target process
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 948 wrote to memory of 748	948	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe
"C:\Users\Admin\AppData\Local\Temp\7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-94-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/748-95-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/748-56-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/748-58-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/748-90-0x0000000000000000-mapping.dmp

Download
memory/748-92-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/748-99-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/748-98-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/748-97-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/748-96-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/748-93-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/948-54-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/948-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/948-100-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download