danabot | 388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03

General

Target

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe
Size

1.0MB
MD5

fee86ee228084c3126a596d9f375f960
SHA1

9ef35a4fd88dcf47fcfdad492543c908b320a511
SHA256

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03
SHA512

123ebbf1cc27ea7e042c1ed5f5c7dcb85f47d7f543cbca0953e84d6318159d0262d21ab2b48e8eb68c7dbc1d62f996ef77cda9c5673cb3a7ec5690169a0c569c

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

2.56.212.4

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1252	rundll32.exe
3	1252	rundll32.exe
4	1252	rundll32.exe
5	1252	rundll32.exe
6	1252	rundll32.exe
7	1252	rundll32.exe
8	1252	rundll32.exe
9	1252	rundll32.exe
10	1252	rundll32.exe
11	1252	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1712 regsvr32.exe
1252 rundll32.exe
1252 rundll32.exe
1252 rundll32.exe
1252 rundll32.exe

pid	process
1712	regsvr32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exeregsvr32.exe

description	pid	process	target process
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1364 wrote to memory of 1712	1364	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe
PID 1712 wrote to memory of 1252	1712	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe
"C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\388B0F~1.EXE@1364
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
8dcdfd72fd6e33ec7d7d03466b06fcad

SHA1
f2589526876aea35da17af31e15b3d3f66158e6a

SHA256
df80e4bf59b1751482aa28225f435c48c7e4c239b522049bb8f835947cb37fba

SHA512
71b2f84cd5be2af0f92bfc34c4ae0912b4cc607f3bcf88d69e60c394f94b21904b7fd0baee2e3572e000eb8774fc9aad2c3b818120300498458ecf7e7613fde2

Download Submit
memory/1252-63-0x0000000000000000-mapping.dmp

Download
memory/1252-69-0x0000000000340000-0x0000000000403000-memory.dmp

Filesize
780KB

Download
memory/1364-62-0x0000000000400000-0x00000000047A0000-memory.dmp

Filesize
67.6MB

Download
memory/1364-54-0x0000000005F00000-0x0000000005FCC000-memory.dmp

Filesize
816KB

Download
memory/1364-56-0x0000000005FE0000-0x00000000060C0000-memory.dmp

Filesize
896KB

Download
memory/1364-55-0x0000000005F00000-0x0000000005FCC000-memory.dmp

Filesize
816KB

Download
memory/1364-70-0x0000000000400000-0x00000000047A0000-memory.dmp

Filesize
67.6MB

Download
memory/1712-61-0x0000000000590000-0x0000000000653000-memory.dmp

Filesize
780KB

Download
memory/1712-58-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1712-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads