danabot | 3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296

General

Target

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe
Size

687KB
MD5

6dac1a3ff16b78e26bb59ada70f01af6
SHA1

9a735d323fc9a90061e2be03ca7b2fe859765685
SHA256

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296
SHA512

f977a1d4cad0a3230667d93f5a8662a1df093b3627764ad5e998fa2b02edeae6a1e20d99813076b2da05f15a11b2f538c3c82502cddd6bc190c1c28445635f16

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

193.103.171.195

116.2.174.16

96.89.5.167

208.140.75.37

89.144.25.243

192.71.249.51

6.17.108.150

40.147.224.49

82.245.40.118

150.82.21.153

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

4 3336 rundll32.exe
12 3336 rundll32.exe
21 3336 rundll32.exe
28 3336 rundll32.exe
35 3336 rundll32.exe
38 3336 rundll32.exe
42 3336 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

5060 regsvr32.exe
5060 regsvr32.exe
3336 rundll32.exe

flow	pid	process
4	3336	rundll32.exe
12	3336	rundll32.exe
21	3336	rundll32.exe
28	3336	rundll32.exe
35	3336	rundll32.exe
38	3336	rundll32.exe
42	3336	rundll32.exe

pid	process
5060	regsvr32.exe
5060	regsvr32.exe
3336	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exeregsvr32.exe

description	pid	process	target process
PID 532 wrote to memory of 5060	532	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 532 wrote to memory of 5060	532	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 532 wrote to memory of 5060	532	3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe	regsvr32.exe
PID 5060 wrote to memory of 3336	5060	regsvr32.exe	rundll32.exe
PID 5060 wrote to memory of 3336	5060	regsvr32.exe	rundll32.exe
PID 5060 wrote to memory of 3336	5060	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe
"C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\3CC797~1.EXE@532
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CC797~1.DLL
Filesize
488KB

MD5
ccbd8a992975272894b427e838285aea

SHA1
4133d5775fae932dbfa0a6a79a44fc558b1951bb

SHA256
3eebff374cbb7f0942d1b983744bafc7086ba9508196ae311016c2b22efc1b30

SHA512
789b76011659a7c7bbcea7b0e00ea8602aeea1bb303bd5b34e5dce548b8375dcaa2c6709b741e807213340b7829cd9b64640c61a1dcb6c8b1b12688621f83a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll
Filesize
488KB

MD5
ccbd8a992975272894b427e838285aea

SHA1
4133d5775fae932dbfa0a6a79a44fc558b1951bb

SHA256
3eebff374cbb7f0942d1b983744bafc7086ba9508196ae311016c2b22efc1b30

SHA512
789b76011659a7c7bbcea7b0e00ea8602aeea1bb303bd5b34e5dce548b8375dcaa2c6709b741e807213340b7829cd9b64640c61a1dcb6c8b1b12688621f83a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll
Filesize
488KB

MD5
ccbd8a992975272894b427e838285aea

SHA1
4133d5775fae932dbfa0a6a79a44fc558b1951bb

SHA256
3eebff374cbb7f0942d1b983744bafc7086ba9508196ae311016c2b22efc1b30

SHA512
789b76011659a7c7bbcea7b0e00ea8602aeea1bb303bd5b34e5dce548b8375dcaa2c6709b741e807213340b7829cd9b64640c61a1dcb6c8b1b12688621f83a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc7971bfd563bc45ae27b1d077990952827b3ff9833015bc3b5e675a7699296.dll
Filesize
488KB

MD5
ccbd8a992975272894b427e838285aea

SHA1
4133d5775fae932dbfa0a6a79a44fc558b1951bb

SHA256
3eebff374cbb7f0942d1b983744bafc7086ba9508196ae311016c2b22efc1b30

SHA512
789b76011659a7c7bbcea7b0e00ea8602aeea1bb303bd5b34e5dce548b8375dcaa2c6709b741e807213340b7829cd9b64640c61a1dcb6c8b1b12688621f83a61

Download Submit
memory/3336-135-0x0000000000000000-mapping.dmp

Download
memory/5060-130-0x0000000000000000-mapping.dmp

Download
memory/5060-134-0x0000000000760000-0x00000000007E8000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing