danabot | dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e

General

Target

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe
Size

579KB
MD5

a8262d370c97e29bbadafc1bf1e9a8d8
SHA1

9e17405cc78961b0a694721214527c6a994240c4
SHA256

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e
SHA512

7f60ba689d5dbfaa18b831fc40156961a13bb63b4028bafacebf2c05ab44c3630df0fc93f0e33b383355d2b27b36511587e98a5169cf6089830c4b20bb56bd8b

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.56.192

5.61.58.130

2.56.212.4

37.149.137.207

160.201.198.109

61.8.211.106

12.37.246.239

93.24.204.214

194.27.196.221

2.56.213.39

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

10 4500 rundll32.exe
24 4500 rundll32.exe
30 4500 rundll32.exe
34 4500 rundll32.exe
37 4500 rundll32.exe
39 4500 rundll32.exe
44 4500 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3332 regsvr32.exe
4500 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4792 4044 WerFault.exe dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe

flow	pid	process
10	4500	rundll32.exe
24	4500	rundll32.exe
30	4500	rundll32.exe
34	4500	rundll32.exe
37	4500	rundll32.exe
39	4500	rundll32.exe
44	4500	rundll32.exe

pid	process
3332	regsvr32.exe
4500	rundll32.exe

pid	pid_target	process	target process
4792	4044	WerFault.exe	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exeregsvr32.exe

description	pid	process	target process
PID 4044 wrote to memory of 3332	4044	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 4044 wrote to memory of 3332	4044	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 4044 wrote to memory of 3332	4044	dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe	regsvr32.exe
PID 3332 wrote to memory of 4500	3332	regsvr32.exe	rundll32.exe
PID 3332 wrote to memory of 4500	3332	regsvr32.exe	rundll32.exe
PID 3332 wrote to memory of 4500	3332	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe
"C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.EXE@4044
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 488
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4044 -ip 4044
1⤵
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DCEBC2~1.DLL
Filesize
358KB

MD5
438061a92a62b7170719ddeb8adbd048

SHA1
fe55b85f0c027d8429f534b511888d940c37ffd3

SHA256
c8a1079b012f8a01e25ae5900af508835dd1b8644cbe3656a1bbdad01b33c6a0

SHA512
d06ba5ebb9a91e1aed0d911c5aa1ff24cd13df081055a1388e033d4d1d8dd668072738ca64a6172c1216656e5fb51d7f905f074e686a9a427e5b6b59bf7294d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.dll
Filesize
358KB

MD5
438061a92a62b7170719ddeb8adbd048

SHA1
fe55b85f0c027d8429f534b511888d940c37ffd3

SHA256
c8a1079b012f8a01e25ae5900af508835dd1b8644cbe3656a1bbdad01b33c6a0

SHA512
d06ba5ebb9a91e1aed0d911c5aa1ff24cd13df081055a1388e033d4d1d8dd668072738ca64a6172c1216656e5fb51d7f905f074e686a9a427e5b6b59bf7294d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcebc2afe81190515a12f8e775cce9a65f1ffd75a596236016ae34452cb6b81e.dll
Filesize
358KB

MD5
438061a92a62b7170719ddeb8adbd048

SHA1
fe55b85f0c027d8429f534b511888d940c37ffd3

SHA256
c8a1079b012f8a01e25ae5900af508835dd1b8644cbe3656a1bbdad01b33c6a0

SHA512
d06ba5ebb9a91e1aed0d911c5aa1ff24cd13df081055a1388e033d4d1d8dd668072738ca64a6172c1216656e5fb51d7f905f074e686a9a427e5b6b59bf7294d1

Download Submit
memory/3332-133-0x0000000000000000-mapping.dmp

Download
memory/4044-131-0x00000000027B0000-0x0000000002834000-memory.dmp

Filesize
528KB

Download
memory/4044-130-0x0000000000E2D000-0x0000000000E9D000-memory.dmp

Filesize
448KB

Download
memory/4044-132-0x0000000000400000-0x0000000000B41000-memory.dmp

Filesize
7.3MB

Download
memory/4044-138-0x0000000000E2D000-0x0000000000E9D000-memory.dmp

Filesize
448KB

Download
memory/4044-139-0x0000000000400000-0x0000000000B41000-memory.dmp

Filesize
7.3MB

Download
memory/4500-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing