danabot | 1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f

Analysis

max time kernel
329s
max time network
338s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe
Size

1.3MB
MD5

10b0c3dfacb99f9f2ca02f9df4bc96db
SHA1

13a48798517d9b28961d49bf67f5764b46ca14b7
SHA256

1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f
SHA512

b4fc3b20a9f14c777b8d69ca65d02052a13d45a3ee42fc733bdaa299339ce9c4316534b303ce413a8f43efde7d11213067991b3f969c30fefdd884f571e0cb9f
SSDEEP

24576:4ZR6p8qpPtW8oUTsfTmgxwmZMeawbzJ/Brl7NWZlPq:pyw1UU4fTXxdmezJ

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 14 IoCs

flow	pid	Process
3	1640	rundll32.exe
5	1640	rundll32.exe
6	1640	rundll32.exe
7	1640	rundll32.exe
10	1640	rundll32.exe
11	1640	rundll32.exe
12	1640	rundll32.exe
13	1640	rundll32.exe
14	1640	rundll32.exe
15	1640	rundll32.exe
16	1640	rundll32.exe
17	1640	rundll32.exe
18	1640	rundll32.exe
19	1640	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1684	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	27
PID 1984 wrote to memory of 1684	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	27
PID 1984 wrote to memory of 1684	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	27
PID 1984 wrote to memory of 1684	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	27
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28
PID 1984 wrote to memory of 1640	1984	1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe	28

C:\Users\Admin\AppData\Local\Temp\1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe
"C:\Users\Admin\AppData\Local\Temp\1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:1684
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-97-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/1640-98-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1640-102-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1640-101-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1640-100-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1640-99-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/1640-96-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1640-63-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1640-94-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1640-95-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1640-93-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1640-65-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1684-56-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1984-61-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1984-54-0x0000000001F30000-0x0000000002056000-memory.dmp

Filesize
1.1MB

Download
memory/1984-60-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1984-59-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1984-58-0x0000000002060000-0x000000000233B000-memory.dmp

Filesize
2.9MB

Download
memory/1984-57-0x0000000001F30000-0x0000000002056000-memory.dmp

Filesize
1.1MB

Download
memory/1984-103-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download