danabot | 026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd

General

Target

026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe
Size

1.3MB
MD5

6a71f70b1f3b524dfd7d487e3a9548dc
SHA1

05a6e768ceec54ec429de83e61e9bde1490486ec
SHA256

026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd
SHA512

e7ab802b4a847bee11a77bb6f8cf3a2ba9145e799d1ca24219d40d870e9fe7488cc0dc97efeba10cb1ee2d86b8a1f5c8ed8d864d8a290763e245a5f0f4ec6115
SSDEEP

24576:SK1FsgSPrW6NbMJf7Xf1U1ocDmRkBUl3LZykgbcEoDPhRI8h1pRMdjjTXcPMQC:legSPrX4Jf7PO1RDmiOlV9gro7hRIkiF

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3420	3844	WerFault.exe	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe
2028	3844	WerFault.exe	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe

description	pid	process	target process
PID 3844 wrote to memory of 2352	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	appidtel.exe
PID 3844 wrote to memory of 2352	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	appidtel.exe
PID 3844 wrote to memory of 2352	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	appidtel.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe
PID 3844 wrote to memory of 3584	3844	026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe
"C:\Users\Admin\AppData\Local\Temp\026b3b22fb8666ed49e33d9dffb361aada2dc4470eded031487c0b5a4779d6dd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:2352

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 608
2⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 584
2⤵
- Program crash
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-158-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-153-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-154-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-157-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-155-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-156-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-152-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/2352-147-0x0000000000000000-mapping.dmp

Download
memory/2352-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-141-0x0000000002390000-0x00000000024C0000-memory.dmp

Filesize
1.2MB

Download
memory/3844-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-143-0x00000000024C0000-0x000000000279B000-memory.dmp

Filesize
2.9MB

Download
memory/3844-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-122-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-159-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3844-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-160-0x0000000002390000-0x00000000024C0000-memory.dmp

Filesize
1.2MB

Download
memory/3844-161-0x00000000024C0000-0x000000000279B000-memory.dmp

Filesize
2.9MB

Download
memory/3844-162-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3844-163-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3844-164-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-174-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-171-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3844-176-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing