Overview

overview

10

Static

static

00192038_00192.scr

windows7_x64

10

00192038_00192.scr

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00192038_00192.scr

  • Size

    453KB

  • MD5

    aa0ceac2adff012dc0ba93e1c5bb72ab

  • SHA1

    31ff6c14bf11786d3084cf569669a0af457d1084

  • SHA256

    864b7f9f0446958428151bdffbfeb3ce566a1b82ca87b4abeb8e75e1e36f39ac

  • SHA512

    36200bb05b1dc97b0e6bc17a0add145fa3600f18e701ed568f28c09a19c15e7a4820f37161831450d50ab7be9f232da2fdac5b6f70c069cd0e1003af0570e6e0

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

55.213.39.105

41.170.199.149

192.71.249.51

234.55.93.177

154.247.212.176

160.246.140.43

217.228.238.7

238.44.175.155

180.62.77.191

178.209.51.211
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 3 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr
    "C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr" /S
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\001920~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\001920~1.SCR@4888
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\001920~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\00192038_00192.dll
    Filesize

    288KB

    MD5

    f161a41af3babee854e89792622ed9a7

    SHA1

    5af57ea20b26485014b8e9e6e3282f5d703f3d22

    SHA256

    eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21

    SHA512

    82e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\00192038_00192.dll
    Filesize

    288KB

    MD5

    f161a41af3babee854e89792622ed9a7

    SHA1

    5af57ea20b26485014b8e9e6e3282f5d703f3d22

    SHA256

    eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21

    SHA512

    82e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\001920~1.DLL
    Filesize

    288KB

    MD5

    f161a41af3babee854e89792622ed9a7

    SHA1

    5af57ea20b26485014b8e9e6e3282f5d703f3d22

    SHA256

    eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21

    SHA512

    82e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481

    Download Submit
  • memory/3468-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3968-130-0x0000000000000000-mapping.dmp
    Download