danabot | 388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03

General

Target

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe
Size

1.0MB
MD5

fee86ee228084c3126a596d9f375f960
SHA1

9ef35a4fd88dcf47fcfdad492543c908b320a511
SHA256

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03
SHA512

123ebbf1cc27ea7e042c1ed5f5c7dcb85f47d7f543cbca0953e84d6318159d0262d21ab2b48e8eb68c7dbc1d62f996ef77cda9c5673cb3a7ec5690169a0c569c

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

2.56.212.4

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.dll	family_danabot

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

44 2172 rundll32.exe
45 2172 rundll32.exe
50 2172 rundll32.exe
51 2172 rundll32.exe
52 2172 rundll32.exe
53 2172 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3016 regsvr32.exe
2172 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1516 1984 WerFault.exe 388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe

flow	pid	process
44	2172	rundll32.exe
45	2172	rundll32.exe
50	2172	rundll32.exe
51	2172	rundll32.exe
52	2172	rundll32.exe
53	2172	rundll32.exe

pid	process
3016	regsvr32.exe
2172	rundll32.exe

pid	pid_target	process	target process
1516	1984	WerFault.exe	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exeregsvr32.exe

description	pid	process	target process
PID 1984 wrote to memory of 3016	1984	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1984 wrote to memory of 3016	1984	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 1984 wrote to memory of 3016	1984	388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe	regsvr32.exe
PID 3016 wrote to memory of 2172	3016	regsvr32.exe	rundll32.exe
PID 3016 wrote to memory of 2172	3016	regsvr32.exe	rundll32.exe
PID 3016 wrote to memory of 2172	3016	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe
"C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\388B0F~1.EXE@1984
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 476
2⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1984 -ip 1984
1⤵
PID:3320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\388B0F~1.DLL
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.dll
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\388b0f12f5a0c50c6e3382d0293a6caaf19e498cf57e6f5312e410a723926b03.dll
Filesize
725KB

MD5
31c151abf0e267dcbf59687f5eaea977

SHA1
504c905865348144068a2b7bf3249e8c1d3ce8d7

SHA256
e6b99e7a0925e5b5c1ac08f9af988dd4682f47dbf6fa698decf1285a1ee062f3

SHA512
473c968fd7507b708cb7a4357f0655b8fc9e139548048dee9201db1ef7900a0a8f393cc20a34c9d6a2c2ec346651a1bd676de5fdd0da7473f6b4106f221b11d5

Download Submit
memory/1984-130-0x0000000004A15000-0x0000000004AE1000-memory.dmp

Filesize
816KB

Download
memory/1984-131-0x0000000004AF0000-0x0000000004BD0000-memory.dmp

Filesize
896KB

Download
memory/1984-132-0x0000000000400000-0x00000000047A0000-memory.dmp

Filesize
67.6MB

Download
memory/1984-138-0x0000000000400000-0x00000000047A0000-memory.dmp

Filesize
67.6MB

Download
memory/2172-136-0x0000000000000000-mapping.dmp

Download
memory/3016-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing