danabot | 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 07:48

Target

24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe
Size

1.2MB
MD5

39ae3110dc8ee4239811f2a1083e675e
SHA1

f235ea35b4a408a052ec5bc93310adb77b52ecbc
SHA256

24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7
SHA512

cee1b9804a3a3d4f033d8076f66ffd6021a0b017a7588b96749d319d382056847d26aedc2f1fa5b7140c01697407da3c2873d59c78044376b083bc8f0c8494ee
SSDEEP

24576:aG4NAckBXt2Uj3WTNWIcXuDTPyYaOnuhZiOASiN0A:O0shOeDjzagumObiN

Score

10^/10

Family

danabot

Botnet

192.119.110.73:443

192.236.192.201:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\24989D~1.DLL	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\24989D~1.EXE.dll	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

32 3468 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3468 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3464 4844 WerFault.exe 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

flow	pid	process
32	3468	rundll32.exe

pid	process
3468	rundll32.exe

pid	pid_target	process	target process
3464	4844	WerFault.exe	24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe

description	pid	process	target process
PID 4844 wrote to memory of 3468	4844	24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe	rundll32.exe
PID 4844 wrote to memory of 3468	4844	24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe	rundll32.exe
PID 4844 wrote to memory of 3468	4844	24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe
"C:\Users\Admin\AppData\Local\Temp\24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 536
2⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4844 -ip 4844
1⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\24989D~1.DLL
Filesize
1.3MB

MD5
75fc2614c6155104791c20a2bb421ac1

SHA1
4b310814161ee1605a10536f32b40bb98d74eb9c

SHA256
5ed2de37c6a40fb6ce089d14a025aa9c5422ece049c6fbd4f5bc33fe34a6b50b

SHA512
ce439aae25431cb127c72424960a65655ae4d1500fd44c3ac0721d88d437ac2aef02d0303691811293010cb79cfe1a1840ac9e6708b210848637e00723e4782d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24989D~1.EXE.dll
Filesize
1.3MB

MD5
75fc2614c6155104791c20a2bb421ac1

SHA1
4b310814161ee1605a10536f32b40bb98d74eb9c

SHA256
5ed2de37c6a40fb6ce089d14a025aa9c5422ece049c6fbd4f5bc33fe34a6b50b

SHA512
ce439aae25431cb127c72424960a65655ae4d1500fd44c3ac0721d88d437ac2aef02d0303691811293010cb79cfe1a1840ac9e6708b210848637e00723e4782d

Download Submit
memory/3468-134-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000002360000-0x000000000244E000-memory.dmp

Filesize
952KB

Download
memory/4844-133-0x0000000002450000-0x0000000002556000-memory.dmp

Filesize
1.0MB

Download
memory/4844-137-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/4844-138-0x0000000002450000-0x0000000002556000-memory.dmp

Filesize
1.0MB

Download