danabot | 221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539

Analysis

max time kernel
325s
max time network
333s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe
Size

1.3MB
MD5

4015906016f5a97e82516c5313add3ec
SHA1

b5335aa1cc93ed08a37f22bef57ccb986ef862d9
SHA256

221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539
SHA512

2c8eac5f8f672b6c56430622331a4adc24a0fb18a5b6e34fd4b6a78c3712b6099e7bc770415c61b7792cdcaa4093e122e16e6475f917029aa682d80cace5908a
SSDEEP

24576:D/cPXh/olaaaRtNPCCBp7BwTevDaulxRA5zqT47egGoz6JqV17PFr4ah5Qrlj7:w5/4vaRtNPvBwTeb1A5+TKxj7Xl4ahC

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 17 IoCs

flow	pid	Process
3	1440	rundll32.exe
5	1440	rundll32.exe
6	1440	rundll32.exe
7	1440	rundll32.exe
10	1440	rundll32.exe
11	1440	rundll32.exe
13	1440	rundll32.exe
14	1440	rundll32.exe
15	1440	rundll32.exe
16	1440	rundll32.exe
17	1440	rundll32.exe
18	1440	rundll32.exe
19	1440	rundll32.exe
20	1440	rundll32.exe
21	1440	rundll32.exe
22	1440	rundll32.exe
23	1440	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1696	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	27
PID 1996 wrote to memory of 1696	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	27
PID 1996 wrote to memory of 1696	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	27
PID 1996 wrote to memory of 1696	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	27
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28
PID 1996 wrote to memory of 1440	1996	221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe	28

C:\Users\Admin\AppData\Local\Temp\221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe
"C:\Users\Admin\AppData\Local\Temp\221572613439d57ea9311ef6b9e729c886cc273c9d9d73ce61f4ee8a65c44539.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:1696
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-98-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1440-97-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/1440-102-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1440-101-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1440-100-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1440-99-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/1440-95-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1440-63-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1440-93-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1440-96-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1440-94-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1440-65-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1696-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1996-61-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1996-54-0x00000000006F0000-0x0000000000816000-memory.dmp

Filesize
1.1MB

Download
memory/1996-60-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1996-59-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1996-58-0x0000000002270000-0x000000000254B000-memory.dmp

Filesize
2.9MB

Download
memory/1996-57-0x00000000006F0000-0x0000000000816000-memory.dmp

Filesize
1.1MB

Download
memory/1996-103-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download