danabot | 3e2672a2317672593f579398b10f2128bd299fb259c3c92ad57091f22f0bacc5

General

Target

00192038_00192.scr
Size

453KB
MD5

aa0ceac2adff012dc0ba93e1c5bb72ab
SHA1

31ff6c14bf11786d3084cf569669a0af457d1084
SHA256

864b7f9f0446958428151bdffbfeb3ce566a1b82ca87b4abeb8e75e1e36f39ac
SHA512

36200bb05b1dc97b0e6bc17a0add145fa3600f18e701ed568f28c09a19c15e7a4820f37161831450d50ab7be9f232da2fdac5b6f70c069cd0e1003af0570e6e0

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

55.213.39.105

41.170.199.149

192.71.249.51

234.55.93.177

154.247.212.176

160.246.140.43

217.228.238.7

238.44.175.155

180.62.77.191

178.209.51.211

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\001920~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
1	1704	rundll32.exe
2	1704	rundll32.exe
3	1704	rundll32.exe
5	1704	rundll32.exe
6	1704	rundll32.exe
7	1704	rundll32.exe
10	1704	rundll32.exe
13	1704	rundll32.exe

Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

1104 regsvr32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1104 regsvr32.exe
1704 rundll32.exe
1704 rundll32.exe
1704 rundll32.exe
1704 rundll32.exe

pid	process
1104	regsvr32.exe

pid	process
1104	regsvr32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

00192038_00192.scrregsvr32.exe

description	pid	process	target process
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1964 wrote to memory of 1104	1964	00192038_00192.scr	regsvr32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe
PID 1104 wrote to memory of 1704	1104	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr
"C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\001920~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\001920~1.SCR@1964
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\001920~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
\Users\Admin\AppData\Local\Temp\001920~1.DLL
Filesize
288KB

MD5
7962586b6a7c29a46efe7aaa939d4c1c

SHA1
5cbc9fb7da6fc44361a4082cbf79b87d806f0713

SHA256
de6b76cd4cf4c235687d919ce6a72c9fe50791f0946f468fe788c786420aae3d

SHA512
12e6384e9b0001c7c7a9ad82b3ca5585f76eefc2a7372ad697d13b5c7ea512df95cf610f8b0e087616946179c958499c8b829fb53243f3e3ff0b8d19c9876a3c

Download Submit
memory/1104-55-0x0000000000000000-mapping.dmp

Download
memory/1104-59-0x0000000000290000-0x00000000002E6000-memory.dmp

Filesize
344KB

Download
memory/1704-60-0x0000000000000000-mapping.dmp

Download
memory/1704-66-0x0000000000720000-0x0000000000776000-memory.dmp

Filesize
344KB

Download
memory/1964-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads