danabot | 223160a552cbf409f2d6dd87ddec5ee75592c53bace88f2dccc827c9e80f7f53

General

Target

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe
Size

2.3MB
MD5

daaefbd8d541235a00593af2bb5a3e27
SHA1

428bb7e395f87070d55ef7fa08fe8296d640c20f
SHA256

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513
SHA512

ed59e719c3de251c456e1a5e8805bdae302440b03e31959ec16088f0a6a725d1f374d6fa6a7b61ecd0f83e7da4e818ea83d32d48374981b94e3071c1c0a10669

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.106.122.14:443

5.9.224.217:443

192.236.161.4:443

Attributes

embedded_hash
93390DEC2D9EB6E43445264DBEDDE13F
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

5 5008 rundll32.exe
18 5008 rundll32.exe
27 5008 rundll32.exe
35 5008 rundll32.exe
38 5008 rundll32.exe
39 5008 rundll32.exe
41 5008 rundll32.exe

flow	pid	process
5	5008	rundll32.exe
18	5008	rundll32.exe
27	5008	rundll32.exe
35	5008	rundll32.exe
38	5008	rundll32.exe
39	5008	rundll32.exe
41	5008	rundll32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe

description	pid	process	target process
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe
PID 4676 wrote to memory of 5008	4676	7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe
"C:\Users\Admin\AppData\Local\Temp\7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:5008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4676-130-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/4676-149-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/5008-140-0x0000000000330000-0x0000000000333000-memory.dmp

Filesize
12KB

Download
memory/5008-141-0x0000000000340000-0x0000000000343000-memory.dmp

Filesize
12KB

Download
memory/5008-134-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/5008-135-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/5008-136-0x00000000002F0000-0x00000000002F3000-memory.dmp

Filesize
12KB

Download
memory/5008-137-0x0000000000300000-0x0000000000303000-memory.dmp

Filesize
12KB

Download
memory/5008-138-0x0000000000310000-0x0000000000313000-memory.dmp

Filesize
12KB

Download
memory/5008-139-0x0000000000320000-0x0000000000323000-memory.dmp

Filesize
12KB

Download
memory/5008-132-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/5008-133-0x00000000002C0000-0x00000000002C3000-memory.dmp

Filesize
12KB

Download
memory/5008-142-0x0000000000350000-0x0000000000353000-memory.dmp

Filesize
12KB

Download
memory/5008-143-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/5008-144-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/5008-146-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/5008-147-0x00000000003A0000-0x00000000003A3000-memory.dmp

Filesize
12KB

Download
memory/5008-145-0x0000000000380000-0x0000000000383000-memory.dmp

Filesize
12KB

Download
memory/5008-148-0x00000000003B0000-0x00000000003B3000-memory.dmp

Filesize
12KB

Download
memory/5008-131-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing