danabot | e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b

General

Target

e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe
Size

1.3MB
MD5

a492ac51eb8bb67946e1f1bc6b0a20ee
SHA1

c7095e4482bf5e6afc069611f4ca01d60ac304b7
SHA256

e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b
SHA512

48f51f3541e4d514694c36ffb209328dc35fa4a460fae76b3353e8758267eb41cd313913c1509b5edd57eb00619ebd3fdf34d0ee39dc2c39d93761c480d37dda
SSDEEP

24576:f4CSrOYnYWb9G3DlxmugDzsL9fq2fAU0++9OGD5cLGZqzMQ6K59E:o6qb9gDlcug3M9tB0Ow5cLG/n4

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
516	2496	WerFault.exe	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe
792	2496	WerFault.exe	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe

description	pid	process	target process
PID 2496 wrote to memory of 1012	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	appidtel.exe
PID 2496 wrote to memory of 1012	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	appidtel.exe
PID 2496 wrote to memory of 1012	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	appidtel.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe
PID 2496 wrote to memory of 4360	2496	e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe
"C:\Users\Admin\AppData\Local\Temp\e5b9ace672dd8021ba842d3c3db19d08499730632902910c8f74fc884513e51b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:1012

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 612
2⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 628
2⤵
- Program crash
PID:792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1012-149-0x0000000000000000-mapping.dmp

Download
memory/1012-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-158-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-157-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-156-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-154-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/1012-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-133-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-137-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000002480000-0x00000000025A9000-memory.dmp

Filesize
1.2MB

Download
memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000002600000-0x00000000028DB000-memory.dmp

Filesize
2.9MB

Download
memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-124-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/2496-122-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-121-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-162-0x0000000002480000-0x00000000025A9000-memory.dmp

Filesize
1.2MB

Download
memory/2496-163-0x0000000002600000-0x00000000028DB000-memory.dmp

Filesize
2.9MB

Download
memory/2496-164-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/2496-165-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/2496-166-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-170-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/2496-171-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-173-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-175-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-176-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-177-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-178-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing