danabot | 6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9

General

Target

6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe
Size

998KB
MD5

695a4122879652c1a3d32bddb0957b35
SHA1

6375f5a1a70fc999dc760734cca1ce248e9b53fa
SHA256

6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9
SHA512

db8ae2b5b1af341dc040a16719753d833914b9737d37fa9237b62f8023e0e8f6f35089b3072822e28b02a4a84dc109ddf49d4daef4ad6c7e72ec7b48d1c6fd84

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

2.56.212.4

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\6F6A2A~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
26	772	rundll32.exe
36	772	rundll32.exe
37	772	rundll32.exe
39	772	rundll32.exe
49	772	rundll32.exe
55	772	rundll32.exe
66	772	rundll32.exe
77	772	rundll32.exe
78	772	rundll32.exe
79	772	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4628 regsvr32.exe
4628 regsvr32.exe
772 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4104 2220 WerFault.exe 6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe

pid	process
4628	regsvr32.exe
4628	regsvr32.exe
772	rundll32.exe

pid	pid_target	process	target process
4104	2220	WerFault.exe	6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exeregsvr32.exe

description	pid	process	target process
PID 2220 wrote to memory of 4628	2220	6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe	regsvr32.exe
PID 2220 wrote to memory of 4628	2220	6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe	regsvr32.exe
PID 2220 wrote to memory of 4628	2220	6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe	regsvr32.exe
PID 4628 wrote to memory of 772	4628	regsvr32.exe	rundll32.exe
PID 4628 wrote to memory of 772	4628	regsvr32.exe	rundll32.exe
PID 4628 wrote to memory of 772	4628	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe
"C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\6F6A2A~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\6F6A2A~1.EXE@2220
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6F6A2A~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 460
2⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2220 -ip 2220
1⤵
PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F6A2A~1.DLL
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6a2ab9d85173b049ed2654e9efda2332b215ba4480618177a789ff0af1d0f9.dll
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
memory/772-138-0x0000000000000000-mapping.dmp

Download
memory/2220-130-0x0000000002383000-0x000000000244F000-memory.dmp

Filesize
816KB

Download
memory/2220-131-0x0000000002450000-0x0000000002530000-memory.dmp

Filesize
896KB

Download
memory/2220-132-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/2220-140-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/4628-133-0x0000000000000000-mapping.dmp

Download
memory/4628-137-0x00000000020E0000-0x00000000021A3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads