danabot | 3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296

General

Target

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe
Size

687KB
MD5

6dac1a3ff16b78e26bb59ada70f01af6
SHA1

9a735d323fc9a90061e2be03ca7b2fe859765685
SHA256

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296
SHA512

f977a1d4cad0a3230667d93f5a8662a1df093b3627764ad5e998fa2b02edeae6a1e20d99813076b2da05f15a11b2f538c3c82502cddd6bc190c1c28445635f16

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

193.103.171.195

116.2.174.16

96.89.5.167

208.140.75.37

89.144.25.243

192.71.249.51

6.17.108.150

40.147.224.49

82.245.40.118

150.82.21.153

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

14 1240 rundll32.exe
17 1240 rundll32.exe
20 1240 rundll32.exe
23 1240 rundll32.exe
24 1240 rundll32.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

1940 regsvr32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1940 regsvr32.exe
1240 rundll32.exe
1240 rundll32.exe
1240 rundll32.exe
1240 rundll32.exe

flow	pid	process
14	1240	rundll32.exe
17	1240	rundll32.exe
20	1240	rundll32.exe
23	1240	rundll32.exe
24	1240	rundll32.exe

pid	process
1940	regsvr32.exe

pid	process
1940	regsvr32.exe
1240	rundll32.exe
1240	rundll32.exe
1240	rundll32.exe
1240	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exeregsvr32.exe

description	pid	process	target process
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1928 wrote to memory of 1940	1928	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe
PID 1940 wrote to memory of 1240	1940	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe
"C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\3CC797~1.EXE@1928
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
1722f9a54165d3816dd6eedf58c14f71

SHA1
cc08a37aa5199d615eab876a6429e99ede7bf8e6

SHA256
faf247d7b18ce3eb7c76942919da22cf3cf2dc53d7d62f879347e78a3a2667fe

SHA512
1549b1a4cd769e202a4e00982615c1260c50ebaeefe8b1041e72d33b4652120dab5c001116f2c3f6e3fcd0885260ce69f34d2029c4a48698138875166d31e1d8

Download Submit
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1240-65-0x00000000006F0000-0x0000000000778000-memory.dmp

Filesize
544KB

Download
memory/1940-54-0x0000000000000000-mapping.dmp

Download
memory/1940-55-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/1940-58-0x0000000001E90000-0x0000000001F18000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing