danabot | 97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794

Analysis

max time kernel
73s
max time network
58s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe
Size

1.2MB
MD5

61e96ce82e0b4d75fb14549a01d34a08
SHA1

c11f3f509fc4cdf2b2849c3f33bf4ed6f9f2449c
SHA256

97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794
SHA512

8127d6ce59f680cf6f675c2a6ac140318f9455c30f13c3f7ea3c761e44f4698813daee865ccfdb93a3670afd86be90c45f202c9ac512827c62bbf77248eccb4c
SSDEEP

24576:r+jGtX2PqhdM472XAnoopR9uovrEfKfm36yRioUg6qMjkH24/Vjlj:r+jgX2PKdT7oWoo7fjEhRT6qMjsdl

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2768	4364	WerFault.exe	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe
2160	4364	WerFault.exe	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe

description	pid	process	target process
PID 4364 wrote to memory of 2660	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	appidtel.exe
PID 4364 wrote to memory of 2660	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	appidtel.exe
PID 4364 wrote to memory of 2660	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	appidtel.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe
PID 4364 wrote to memory of 2316	4364	97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe
"C:\Users\Admin\AppData\Local\Temp\97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\appidtel.exe
  C:\Windows\system32\appidtel.exe
  2⤵
  PID:2660
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 608
  2⤵
  - Program crash
  PID:2768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 568
  2⤵
  - Program crash
  PID:2160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-148-0x0000000000000000-mapping.dmp

Download
memory/2660-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-123-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-142-0x0000000002350000-0x0000000002484000-memory.dmp

Filesize
1.2MB

Download
memory/4364-143-0x0000000002490000-0x000000000276B000-memory.dmp

Filesize
2.9MB

Download
memory/4364-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-153-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4364-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-120-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-161-0x0000000002350000-0x0000000002484000-memory.dmp

Filesize
1.2MB

Download
memory/4364-162-0x0000000002490000-0x000000000276B000-memory.dmp

Filesize
2.9MB

Download
memory/4364-163-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4364-164-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4364-165-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4364-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-177-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download