danabot | 19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37

Analysis

max time kernel
181s
max time network
195s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe
Size

2.0MB
MD5

5f69e3a8fe967d526555ad9be8945709
SHA1

2e72f271e87d057bf5abc1b1f3101aa93b5b41b4
SHA256

19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37
SHA512

215fbb0baff3351bdc6f25c8b8cbf1d3693f7bc63636aee9e0fe53e0f917da8f1cb47ed961d974bc01b655f71e233ad93c0aec2b4c176f47bf1cc90ffc8fd05d
SSDEEP

49152:pcgpXKjjTBmqr6zZrVaCxW5DkQ9OP0/TiIxLuOHVHM:pc4CjTBmquZo9S0/TvxHRM

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

23.254.226.20:443

198.15.112.179:443

66.85.147.23:443

Attributes

embedded_hash
8AA34A6CD5B6C9D509DB2C72E1AE6D88
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	368	rundll32.exe
3	368	rundll32.exe
4	368	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe
368	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27
PID 1724 wrote to memory of 368	1724	19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe	27

C:\Users\Admin\AppData\Local\Temp\19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe
"C:\Users\Admin\AppData\Local\Temp\19a6bc39fe6abd8711a8bc650b651d3e434db4eb8b54ac92fd76ca664ecc9d37.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll,start C:\Users\Admin\AppData\Local\Temp\19A6BC~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll

Filesize
2.6MB

MD5
03528423ab726a2474cbfb386d14817e

SHA1
5e973a84f864e0f0313f11c7f381faf443c42017

SHA256
b137893c1a7d264e51479a9f4b73ba8a0322d4a62a0834750b04bf43574087d1

SHA512
866f26f2d7e4e219f3178bf0ea927751c5a151d6f0573f33ab40ae80b426ee891dd0af28ff0a2c558b72b4a24adf73026a0e8345a3707c597a109576724c30f4

Download Submit
\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll

Filesize
2.6MB

MD5
03528423ab726a2474cbfb386d14817e

SHA1
5e973a84f864e0f0313f11c7f381faf443c42017

SHA256
b137893c1a7d264e51479a9f4b73ba8a0322d4a62a0834750b04bf43574087d1

SHA512
866f26f2d7e4e219f3178bf0ea927751c5a151d6f0573f33ab40ae80b426ee891dd0af28ff0a2c558b72b4a24adf73026a0e8345a3707c597a109576724c30f4

Download Submit
\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll

Filesize
2.6MB

MD5
03528423ab726a2474cbfb386d14817e

SHA1
5e973a84f864e0f0313f11c7f381faf443c42017

SHA256
b137893c1a7d264e51479a9f4b73ba8a0322d4a62a0834750b04bf43574087d1

SHA512
866f26f2d7e4e219f3178bf0ea927751c5a151d6f0573f33ab40ae80b426ee891dd0af28ff0a2c558b72b4a24adf73026a0e8345a3707c597a109576724c30f4

Download Submit
\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll

Filesize
2.6MB

MD5
03528423ab726a2474cbfb386d14817e

SHA1
5e973a84f864e0f0313f11c7f381faf443c42017

SHA256
b137893c1a7d264e51479a9f4b73ba8a0322d4a62a0834750b04bf43574087d1

SHA512
866f26f2d7e4e219f3178bf0ea927751c5a151d6f0573f33ab40ae80b426ee891dd0af28ff0a2c558b72b4a24adf73026a0e8345a3707c597a109576724c30f4

Download Submit
\Users\Admin\AppData\Local\Temp\Dhfrwpy.dll

Filesize
2.6MB

MD5
03528423ab726a2474cbfb386d14817e

SHA1
5e973a84f864e0f0313f11c7f381faf443c42017

SHA256
b137893c1a7d264e51479a9f4b73ba8a0322d4a62a0834750b04bf43574087d1

SHA512
866f26f2d7e4e219f3178bf0ea927751c5a151d6f0573f33ab40ae80b426ee891dd0af28ff0a2c558b72b4a24adf73026a0e8345a3707c597a109576724c30f4

Download Submit
memory/368-67-0x0000000000930000-0x0000000000BD9000-memory.dmp

Filesize
2.7MB

Download
memory/368-69-0x0000000000930000-0x0000000000BD9000-memory.dmp

Filesize
2.7MB

Download
memory/368-70-0x0000000000930000-0x0000000000BD9000-memory.dmp

Filesize
2.7MB

Download
memory/1724-59-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/1724-58-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/1724-57-0x0000000002490000-0x0000000002682000-memory.dmp

Filesize
1.9MB

Download
memory/1724-56-0x00000000022D0000-0x0000000002488000-memory.dmp

Filesize
1.7MB

Download
memory/1724-68-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/1724-54-0x00000000022D0000-0x0000000002488000-memory.dmp

Filesize
1.7MB

Download
memory/1724-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download