danabot | dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e

General

Target

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe
Size

579KB
MD5

a8262d370c97e29bbadafc1bf1e9a8d8
SHA1

9e17405cc78961b0a694721214527c6a994240c4
SHA256

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e
SHA512

7f60ba689d5dbfaa18b831fc40156961a13bb63b4028bafacebf2c05ab44c3630df0fc93f0e33b383355d2b27b36511587e98a5169cf6089830c4b20bb56bd8b

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.56.192

5.61.58.130

2.56.212.4

37.149.137.207

160.201.198.109

61.8.211.106

12.37.246.239

93.24.204.214

194.27.196.221

2.56.213.39

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
1	1172	rundll32.exe
2	1172	rundll32.exe
4	1172	rundll32.exe
5	1172	rundll32.exe
6	1172	rundll32.exe
7	1172	rundll32.exe
10	1172	rundll32.exe
11	1172	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1328 regsvr32.exe
1172 rundll32.exe
1172 rundll32.exe
1172 rundll32.exe
1172 rundll32.exe

pid	process
1328	regsvr32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exeregsvr32.exe

description	pid	process	target process
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1492 wrote to memory of 1328	1492	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe
PID 1328 wrote to memory of 1172	1328	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe
"C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.EXE@1492
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
58494bb8deb6d215d0761df70604b488

SHA1
588c4967fa553fd00f6b47762c861d0a13a1c84f

SHA256
b7f84cba4c011209953a6a8324288c60026260c4d6375025c08e17d5c95e106e

SHA512
347f34d24cd52171f5e856efc6641809bfe8dd5330c45db23feb2abbdeec61fac6feca82228e69c8fb5dab046bd6995441ae8982f8118d0767c353c9322a7c2c

Download Submit
memory/1172-64-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x00000000002B0000-0x0000000000317000-memory.dmp

Filesize
412KB

Download
memory/1328-59-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1328-57-0x0000000000000000-mapping.dmp

Download
memory/1328-63-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/1492-58-0x0000000000FCB000-0x000000000103B000-memory.dmp

Filesize
448KB

Download
memory/1492-60-0x0000000000400000-0x0000000000B41000-memory.dmp

Filesize
7.3MB

Download
memory/1492-56-0x0000000000400000-0x0000000000B41000-memory.dmp

Filesize
7.3MB

Download
memory/1492-55-0x0000000000230000-0x00000000002B4000-memory.dmp

Filesize
528KB

Download
memory/1492-54-0x0000000000FCB000-0x000000000103B000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads