danabot | b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0

General

Target

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe
Size

1.2MB
MD5

f0345563ece05e441e96aa1cbfeb4edd
SHA1

ab4aa38faaae74314ae8b54ab28b77d7d75c1522
SHA256

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0
SHA512

5ef94563596e49d74b8e6c908971296b8b871ac576274d98e7af80b8c0d440e9de218c258330dadb9a6a7c0cd889c9c01479d4dea1dd410911e4eeedc6cc684e

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

45.74.187.0

146.1.214.150

158.228.122.53

202.136.199.125

149.28.180.182

4.79.227.177

44.151.109.26

178.209.51.211

167.196.69.157

149.143.183.11

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 1728 rundll32.exe
3 1728 rundll32.exe
4 1728 rundll32.exe
5 1728 rundll32.exe
6 1728 rundll32.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

328 regsvr32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

328 regsvr32.exe
1728 rundll32.exe
1728 rundll32.exe
1728 rundll32.exe
1728 rundll32.exe

flow	pid	process
2	1728	rundll32.exe
3	1728	rundll32.exe
4	1728	rundll32.exe
5	1728	rundll32.exe
6	1728	rundll32.exe

pid	process
328	regsvr32.exe

pid	process
328	regsvr32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exeregsvr32.exe

description	pid	process	target process
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 1468 wrote to memory of 328	1468	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe
PID 328 wrote to memory of 1728	328	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe
"C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.EXE@1468
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
9fd43173283b7fb278eb565915ddcfe8

SHA1
6aa1881715b883d4c5e60d9d4e29791d5f40805a

SHA256
cad457a0297f6895527dc7a60273005f06b9d10f0a35c807c5d33b5f0cc8d746

SHA512
469466bba29496f84be2cb1e96bd25313077649ca9872cfde629d4e2c81f35433d25e78637d05e30a35cf40e826c1ea37d958bd9c2781cb2dc8842716d09d96a

Download Submit
memory/328-54-0x0000000000000000-mapping.dmp

Download
memory/328-55-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/328-58-0x0000000000B00000-0x0000000000C1E000-memory.dmp

Filesize
1.1MB

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/1728-65-0x0000000001E60000-0x0000000001F7E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing