danabot | 35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92

Analysis

max time kernel
286s
max time network
302s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe
Size

1.2MB
MD5

6c22e9ff51c52ea93902af7b8c2283c3
SHA1

e4afe2353cafa647916cfca70e12443dea0a6387
SHA256

35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92
SHA512

49e1345148a74a1f0e743048fcd3918c5fc06b1d09308823b95368f8bd0b8a4fba80478768f27cb341faa014fa567f19a5cef0deca10bfdd9a13811377efa7ee
SSDEEP

24576:uXhnBIzrRKpZv3ilD09IiYanTw75Vx6fO9qUigRnhqOGVdvbnu6/SZv:EBIMvPilDunTw73wOEysdC6/SZv

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

23.106.124.171:443

192.119.70.159:443

Attributes

embedded_hash
A813CAF845B5703DA814AF785BB60B21
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 43 IoCs

flow	pid	Process
3	624	rundll32.exe
6	624	rundll32.exe
7	624	rundll32.exe
8	624	rundll32.exe
9	624	rundll32.exe
10	624	rundll32.exe
11	624	rundll32.exe
12	624	rundll32.exe
13	624	rundll32.exe
14	624	rundll32.exe
15	624	rundll32.exe
16	624	rundll32.exe
17	624	rundll32.exe
18	624	rundll32.exe
19	624	rundll32.exe
20	624	rundll32.exe
21	624	rundll32.exe
22	624	rundll32.exe
23	624	rundll32.exe
24	624	rundll32.exe
25	624	rundll32.exe
26	624	rundll32.exe
27	624	rundll32.exe
28	624	rundll32.exe
29	624	rundll32.exe
30	624	rundll32.exe
31	624	rundll32.exe
32	624	rundll32.exe
33	624	rundll32.exe
34	624	rundll32.exe
35	624	rundll32.exe
36	624	rundll32.exe
37	624	rundll32.exe
38	624	rundll32.exe
39	624	rundll32.exe
40	624	rundll32.exe
41	624	rundll32.exe
42	624	rundll32.exe
45	624	rundll32.exe
48	624	rundll32.exe
49	624	rundll32.exe
50	624	rundll32.exe
53	624	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1048	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	27
PID 2036 wrote to memory of 1048	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	27
PID 2036 wrote to memory of 1048	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	27
PID 2036 wrote to memory of 1048	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	27
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28
PID 2036 wrote to memory of 624	2036	35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe	28

C:\Users\Admin\AppData\Local\Temp\35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe
"C:\Users\Admin\AppData\Local\Temp\35a94432b93bb87859ce8dec9a6f0725119f38d4bf0678bf645ba8b2605d9f92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:1048
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-97-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/624-98-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/624-103-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/624-101-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/624-100-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/624-99-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/624-95-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/624-63-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/624-93-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/624-96-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/624-94-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/624-65-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1048-56-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/2036-61-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2036-54-0x0000000002050000-0x0000000002172000-memory.dmp

Filesize
1.1MB

Download
memory/2036-60-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2036-59-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2036-58-0x0000000002180000-0x000000000244E000-memory.dmp

Filesize
2.8MB

Download
memory/2036-57-0x0000000002050000-0x0000000002172000-memory.dmp

Filesize
1.1MB

Download
memory/2036-102-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads