danabot | b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0

General

Target

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe
Size

1.2MB
MD5

f0345563ece05e441e96aa1cbfeb4edd
SHA1

ab4aa38faaae74314ae8b54ab28b77d7d75c1522
SHA256

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0
SHA512

5ef94563596e49d74b8e6c908971296b8b871ac576274d98e7af80b8c0d440e9de218c258330dadb9a6a7c0cd889c9c01479d4dea1dd410911e4eeedc6cc684e

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

45.74.187.0

146.1.214.150

158.228.122.53

202.136.199.125

149.28.180.182

4.79.227.177

44.151.109.26

178.209.51.211

167.196.69.157

149.143.183.11

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

11 4540 rundll32.exe
24 4540 rundll32.exe
30 4540 rundll32.exe
35 4540 rundll32.exe
37 4540 rundll32.exe
38 4540 rundll32.exe
40 4540 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4092 regsvr32.exe
4092 regsvr32.exe
4540 rundll32.exe

flow	pid	process
11	4540	rundll32.exe
24	4540	rundll32.exe
30	4540	rundll32.exe
35	4540	rundll32.exe
37	4540	rundll32.exe
38	4540	rundll32.exe
40	4540	rundll32.exe

pid	process
4092	regsvr32.exe
4092	regsvr32.exe
4540	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exeregsvr32.exe

description	pid	process	target process
PID 3780 wrote to memory of 4092	3780	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 3780 wrote to memory of 4092	3780	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 3780 wrote to memory of 4092	3780	b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe	regsvr32.exe
PID 4092 wrote to memory of 4540	4092	regsvr32.exe	rundll32.exe
PID 4092 wrote to memory of 4540	4092	regsvr32.exe	rundll32.exe
PID 4092 wrote to memory of 4540	4092	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe
"C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.EXE@3780
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6B8C3~1.DLL
Filesize
1.1MB

MD5
912ae7819075827b6301cc93c9bc9c70

SHA1
baa650f63b51213dc9facebc8b0bccb87ba2df90

SHA256
be9ed9c0db43a369c641d80b674009c9c42c8b8bb3700be51f5a531d64454826

SHA512
3ad9287f6543afb0c033984037f11482f48ab93725413796a1a67738503a80864bb0ed73865f90901538d8e0f7733f1201c68d3e4a9468bebd9abb064cbff599

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll
Filesize
1.1MB

MD5
912ae7819075827b6301cc93c9bc9c70

SHA1
baa650f63b51213dc9facebc8b0bccb87ba2df90

SHA256
be9ed9c0db43a369c641d80b674009c9c42c8b8bb3700be51f5a531d64454826

SHA512
3ad9287f6543afb0c033984037f11482f48ab93725413796a1a67738503a80864bb0ed73865f90901538d8e0f7733f1201c68d3e4a9468bebd9abb064cbff599

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll
Filesize
1.1MB

MD5
912ae7819075827b6301cc93c9bc9c70

SHA1
baa650f63b51213dc9facebc8b0bccb87ba2df90

SHA256
be9ed9c0db43a369c641d80b674009c9c42c8b8bb3700be51f5a531d64454826

SHA512
3ad9287f6543afb0c033984037f11482f48ab93725413796a1a67738503a80864bb0ed73865f90901538d8e0f7733f1201c68d3e4a9468bebd9abb064cbff599

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b8c3786d083acd1def5d1ca92b0c505981bde8ce2304d6d159c142376f66a0.dll
Filesize
1.1MB

MD5
912ae7819075827b6301cc93c9bc9c70

SHA1
baa650f63b51213dc9facebc8b0bccb87ba2df90

SHA256
be9ed9c0db43a369c641d80b674009c9c42c8b8bb3700be51f5a531d64454826

SHA512
3ad9287f6543afb0c033984037f11482f48ab93725413796a1a67738503a80864bb0ed73865f90901538d8e0f7733f1201c68d3e4a9468bebd9abb064cbff599

Download Submit
memory/4092-130-0x0000000000000000-mapping.dmp

Download
memory/4092-134-0x0000000002230000-0x000000000234E000-memory.dmp

Filesize
1.1MB

Download
memory/4540-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing