danabot | 6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960

Analysis

max time kernel
288s
max time network
302s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe
Size

1.2MB
MD5

e70c8bbbd8faa7cb8fb555f6bbe98a12
SHA1

c6c1d1fa31fe1d2906ef7837c1151a1d13a80679
SHA256

6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960
SHA512

3029d003a4d59dff4549959a030407f47136cfd8b85c985bd55aa800590579e95183d50de740c09cacc7fe2e9113d162c3b1296d7b2dff679c4a77ab7aded0ef
SSDEEP

24576:xImPENtb1LF4cCysOYImXOO9u8TFYFfZd4rj9YlmAxOZppvOGTJ/u:xLsfAIo40S9ZeRkmAxOHpvOG1G

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 17 IoCs

flow	pid	Process
3	1716	rundll32.exe
5	1716	rundll32.exe
6	1716	rundll32.exe
7	1716	rundll32.exe
10	1716	rundll32.exe
11	1716	rundll32.exe
13	1716	rundll32.exe
14	1716	rundll32.exe
15	1716	rundll32.exe
16	1716	rundll32.exe
17	1716	rundll32.exe
18	1716	rundll32.exe
19	1716	rundll32.exe
20	1716	rundll32.exe
21	1716	rundll32.exe
22	1716	rundll32.exe
23	1716	rundll32.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 696	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	27
PID 1672 wrote to memory of 696	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	27
PID 1672 wrote to memory of 696	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	27
PID 1672 wrote to memory of 696	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	27
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28
PID 1672 wrote to memory of 1716	1672	6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe	28

C:\Users\Admin\AppData\Local\Temp\6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe
"C:\Users\Admin\AppData\Local\Temp\6563565af9b7b4e106e8687f64a80922b10dc33e3f4020b07b8b640575d35960.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:696
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/696-58-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x0000000001F00000-0x0000000002026000-memory.dmp

Filesize
1.1MB

Download
memory/1672-55-0x0000000001F00000-0x0000000002026000-memory.dmp

Filesize
1.1MB

Download
memory/1672-56-0x00000000020F0000-0x00000000023CB000-memory.dmp

Filesize
2.9MB

Download
memory/1672-59-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1672-60-0x00000000020F0000-0x00000000023CB000-memory.dmp

Filesize
2.9MB

Download
memory/1672-61-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1672-62-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1672-81-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1716-69-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1716-74-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/1716-70-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/1716-71-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1716-72-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/1716-73-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/1716-68-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1716-75-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1716-76-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/1716-77-0x0000000000150000-0x0000000000152000-memory.dmp

Filesize
8KB

Download
memory/1716-78-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1716-79-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1716-80-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/1716-64-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download