danabot | d47a02152a9d2044647152905f91e918fb3dd97e2b7608feb58f7006ca071e31

General

Target

D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe
Size

1.7MB
MD5

797d6206ba16b4d4814f24b087c1c02f
SHA1

65410baf8d3862aef998db456512fd46624addea
SHA256

d47a02152a9d2044647152905f91e918fb3dd97e2b7608feb58f7006ca071e31
SHA512

96d4cc9acef984232f7a9d9584c4029785f2841dc3b2cfc73ccf7e79929dcd16e189aa13fa101a4a2edcec0d6c5baaa586667732b63d77e61344c3121543a836
SSDEEP

24576:01FYt7Rh79rK04IgcdciWEyi1FYO8NH6BJFNMrQepRpIMvqbUbnNEYA5Y68mPOhn:iFAh7cZc+LZO8NHQEr/QM24o4

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
behavioral1/memory/2000-66-0x0000000001EE0000-0x0000000002159000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2000 rundll32.exe
2000 rundll32.exe
2000 rundll32.exe
2000 rundll32.exe

pid	process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe

description	pid	process	target process
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 1884 wrote to memory of 2000	1884	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe
"C:\Users\Admin\AppData\Local\Temp\D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL,s C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE
2⤵
- Loads dropped DLL
PID:2000

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
1500e3160f2d7bfde9d368d6865a250e

SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb

SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc

SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9

Download Submit
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
1500e3160f2d7bfde9d368d6865a250e

SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb

SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc

SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9

Download Submit
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
1500e3160f2d7bfde9d368d6865a250e

SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb

SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc

SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9

Download Submit
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
1500e3160f2d7bfde9d368d6865a250e

SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb

SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc

SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9

Download Submit
\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
1500e3160f2d7bfde9d368d6865a250e

SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb

SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc

SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9

Download Submit
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x0000000000C70000-0x0000000000DFE000-memory.dmp

Filesize
1.6MB

Download
memory/1884-56-0x0000000000E00000-0x0000000000FA4000-memory.dmp

Filesize
1.6MB

Download
memory/1884-57-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/1884-58-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2000-66-0x0000000001EE0000-0x0000000002159000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing