danabot | 3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8

Analysis

max time kernel
289s
max time network
317s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe
Size

1.3MB
MD5

5e7f14e77375a2684af2efbf2f563e0e
SHA1

712ab6e9506e2d681e0f0a7d8bda6932f519153f
SHA256

3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8
SHA512

9dfead057ae2a253aaa33c030c6be68c3595fd604c80452fa713115bb724a4a55ebe812092ee29382a6de7979cefafe3e6da2e49bded0f3628829473de65cc27
SSDEEP

24576:J17E6Hri5ZlI3cj+4K/w9BR1jSQU0rVJhjHmrPZadY6JS+3vTCTKyyPRXCUW:f7E6HG5Zap4QqVHrhmrOJSWSVyPRV

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 17 IoCs

flow	pid	Process
3	1584	rundll32.exe
5	1584	rundll32.exe
6	1584	rundll32.exe
7	1584	rundll32.exe
10	1584	rundll32.exe
11	1584	rundll32.exe
13	1584	rundll32.exe
14	1584	rundll32.exe
15	1584	rundll32.exe
16	1584	rundll32.exe
17	1584	rundll32.exe
18	1584	rundll32.exe
19	1584	rundll32.exe
20	1584	rundll32.exe
21	1584	rundll32.exe
22	1584	rundll32.exe
23	1584	rundll32.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 992	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	28
PID 1912 wrote to memory of 992	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	28
PID 1912 wrote to memory of 992	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	28
PID 1912 wrote to memory of 992	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	28
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29
PID 1912 wrote to memory of 1584	1912	3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe	29

C:\Users\Admin\AppData\Local\Temp\3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe
"C:\Users\Admin\AppData\Local\Temp\3e83ffc07aba1a81fac2a85969c813581ff5083a1b17023bf87817cfba3c1bc8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:992
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-56-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000000000000-mapping.dmp

Download
memory/1584-119-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/1584-121-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/1584-113-0x0000000000080000-0x0000000000084000-memory.dmp

Filesize
16KB

Download
memory/1584-114-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1584-115-0x00000000000A0000-0x00000000000A4000-memory.dmp

Filesize
16KB

Download
memory/1584-116-0x00000000000B0000-0x00000000000B4000-memory.dmp

Filesize
16KB

Download
memory/1584-63-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/1584-65-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/1584-111-0x0000000000000000-mapping.dmp

Download
memory/1584-123-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/1584-122-0x0000000000150000-0x0000000000154000-memory.dmp

Filesize
16KB

Download
memory/1584-117-0x00000000000C0000-0x00000000000C4000-memory.dmp

Filesize
16KB

Download
memory/1584-120-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/1584-118-0x00000000000D0000-0x00000000000D4000-memory.dmp

Filesize
16KB

Download
memory/1912-54-0x00000000006F0000-0x0000000000816000-memory.dmp

Filesize
1.1MB

Download
memory/1912-57-0x00000000006F0000-0x0000000000816000-memory.dmp

Filesize
1.1MB

Download
memory/1912-61-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1912-60-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1912-59-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1912-58-0x0000000001F70000-0x000000000224B000-memory.dmp

Filesize
2.9MB

Download
memory/1912-124-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download