danabot | d47a02152a9d2044647152905f91e918fb3dd97e2b7608feb58f7006ca071e31

Analysis

max time kernel
139s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2022 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe
Size

1.7MB
MD5

797d6206ba16b4d4814f24b087c1c02f
SHA1

65410baf8d3862aef998db456512fd46624addea
SHA256

d47a02152a9d2044647152905f91e918fb3dd97e2b7608feb58f7006ca071e31
SHA512

96d4cc9acef984232f7a9d9584c4029785f2841dc3b2cfc73ccf7e79929dcd16e189aa13fa101a4a2edcec0d6c5baaa586667732b63d77e61344c3121543a836
SSDEEP

24576:01FYt7Rh79rK04IgcdciWEyi1FYO8NH6BJFNMrQepRpIMvqbUbnNEYA5Y68mPOhn:iFAh7cZc+LZO8NHQEr/QM24o4

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL	DanabotLoader2021
behavioral2/memory/4120-139-0x00000000023E0000-0x0000000002659000-memory.dmp	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE.dll	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE.dll	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4120 rundll32.exe
4120 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4144 2376 WerFault.exe D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe

pid	process
4120	rundll32.exe
4120	rundll32.exe

pid	pid_target	process	target process
4144	2376	WerFault.exe	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe

description	pid	process	target process
PID 2376 wrote to memory of 4120	2376	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 2376 wrote to memory of 4120	2376	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe
PID 2376 wrote to memory of 4120	2376	D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe
"C:\Users\Admin\AppData\Local\Temp\D47A02152A9D2044647152905F91E918FB3DD97E2B760.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL,s C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE
2⤵
- Loads dropped DLL
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 512
2⤵
- Program crash
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2376 -ip 2376
1⤵
PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D47A02~1.DLL
Filesize
2.4MB

MD5
170a6f5600614941359993c37de8011b

SHA1
be302e4200c2d60a2312f91cd8b17c0e05eaf60f

SHA256
84507b3b2b3ddbad3f8583e4367f340b8fce1e704cc8dc0b85a6c336a062f419

SHA512
f077af0fc2a58b16c3025930547e66a1174cd19f4d59fc664e0cd83c2b3f650a10670833eef84c699a57266b1bfe443f02a555df774938e20dd73fccaf5b87a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE.dll
Filesize
2.4MB

MD5
170a6f5600614941359993c37de8011b

SHA1
be302e4200c2d60a2312f91cd8b17c0e05eaf60f

SHA256
84507b3b2b3ddbad3f8583e4367f340b8fce1e704cc8dc0b85a6c336a062f419

SHA512
f077af0fc2a58b16c3025930547e66a1174cd19f4d59fc664e0cd83c2b3f650a10670833eef84c699a57266b1bfe443f02a555df774938e20dd73fccaf5b87a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D47A02~1.EXE.dll
Filesize
2.4MB

MD5
170a6f5600614941359993c37de8011b

SHA1
be302e4200c2d60a2312f91cd8b17c0e05eaf60f

SHA256
84507b3b2b3ddbad3f8583e4367f340b8fce1e704cc8dc0b85a6c336a062f419

SHA512
f077af0fc2a58b16c3025930547e66a1174cd19f4d59fc664e0cd83c2b3f650a10670833eef84c699a57266b1bfe443f02a555df774938e20dd73fccaf5b87a2

Download Submit
memory/2376-132-0x0000000000F10000-0x000000000109E000-memory.dmp

Filesize
1.6MB

Download
memory/2376-133-0x00000000010A0000-0x0000000001244000-memory.dmp

Filesize
1.6MB

Download
memory/2376-134-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-140-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-135-0x0000000000000000-mapping.dmp

Download
memory/4120-139-0x00000000023E0000-0x0000000002659000-memory.dmp

Filesize
2.5MB

Download