danabot | 3bdd87bfb09ed50bb6fb743d23c052aae947c420b5f64916216cd0c2d90109fc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.3MB
MD5

7a14f2a7902fd7f1199cf3adb6bc77e5
SHA1

2036574d84573d0399b2968dc32e5b52437ecdd5
SHA256

3bdd87bfb09ed50bb6fb743d23c052aae947c420b5f64916216cd0c2d90109fc
SHA512

c64b643ec38978c9ce4d810689b4eb9569d1f948c78434a0e469e4d9e597cb50c89f0d3b3b8bbe7e17735f9f40f2ed29ea88ea9958c5da33c7751e3502101324
SSDEEP

24576:1allXB6VDoqMmi044AKIYqAKqIZIXlYBrL+Jj6sxY0wDxML/R:UlD6VDoki0jNqA1IZaYl+j6sCo

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 27 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1716	rundll32.exe
6	1716	rundll32.exe
7	1716	rundll32.exe
8	1716	rundll32.exe
9	1716	rundll32.exe
10	1716	rundll32.exe
11	1716	rundll32.exe
12	1716	rundll32.exe
13	1716	rundll32.exe
14	1716	rundll32.exe
15	1716	rundll32.exe
16	1716	rundll32.exe
17	1716	rundll32.exe
18	1716	rundll32.exe
19	1716	rundll32.exe
20	1716	rundll32.exe
21	1716	rundll32.exe
22	1716	rundll32.exe
23	1716	rundll32.exe
24	1716	rundll32.exe
25	1716	rundll32.exe
26	1716	rundll32.exe
27	1716	rundll32.exe
28	1716	rundll32.exe
29	1716	rundll32.exe
30	1716	rundll32.exe
31	1716	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1032 wrote to memory of 1788	1032	tmp.exe	AdapterTroubleshooter.exe
PID 1032 wrote to memory of 1788	1032	tmp.exe	AdapterTroubleshooter.exe
PID 1032 wrote to memory of 1788	1032	tmp.exe	AdapterTroubleshooter.exe
PID 1032 wrote to memory of 1788	1032	tmp.exe	AdapterTroubleshooter.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe
PID 1032 wrote to memory of 1716	1032	tmp.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
2⤵
PID:1788

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-60-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1032-54-0x0000000002040000-0x0000000002166000-memory.dmp

Filesize
1.1MB

Download
memory/1032-69-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1032-57-0x0000000002040000-0x0000000002166000-memory.dmp

Filesize
1.1MB

Download
memory/1032-58-0x0000000002170000-0x000000000244B000-memory.dmp

Filesize
2.9MB

Download
memory/1032-59-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1032-61-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1716-67-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1716-65-0x0000000000000000-mapping.dmp

Download
memory/1716-63-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1716-68-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1716-70-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x0000000000000000-mapping.dmp

Download
memory/1788-56-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download