danabot | 9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a

Analysis

max time kernel
298s
max time network
318s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe
Size

1.2MB
MD5

20414be8ceb675059f5fb9d2f656e7b9
SHA1

5dbd2930909ef93772b592a6fc3452ce173b1a63
SHA256

9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a
SHA512

15f78877242404125e50bcfc9989d1b906daea2a4f9feb4b067900fefe62e91eb74492938d06c123e37fa8ff46789216d2d6797c9ba4aa72161aee331c85b2d5
SSDEEP

24576:dXvVcG5KIkfbO8FuS/uWFYHLss1kLIM6VPdzMcGEcdoV8Kv:dXvVJPibx/rFYHwswInVPdIRRdhKv

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

Attributes

embedded_hash
F11D3871631E16E8DE15C24B32328D98
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 42 IoCs

flow	pid	Process
3	1096	rundll32.exe
6	1096	rundll32.exe
7	1096	rundll32.exe
8	1096	rundll32.exe
10	1096	rundll32.exe
11	1096	rundll32.exe
12	1096	rundll32.exe
13	1096	rundll32.exe
14	1096	rundll32.exe
15	1096	rundll32.exe
16	1096	rundll32.exe
19	1096	rundll32.exe
20	1096	rundll32.exe
21	1096	rundll32.exe
22	1096	rundll32.exe
23	1096	rundll32.exe
24	1096	rundll32.exe
25	1096	rundll32.exe
26	1096	rundll32.exe
27	1096	rundll32.exe
28	1096	rundll32.exe
29	1096	rundll32.exe
30	1096	rundll32.exe
31	1096	rundll32.exe
32	1096	rundll32.exe
33	1096	rundll32.exe
34	1096	rundll32.exe
35	1096	rundll32.exe
36	1096	rundll32.exe
37	1096	rundll32.exe
38	1096	rundll32.exe
39	1096	rundll32.exe
40	1096	rundll32.exe
41	1096	rundll32.exe
42	1096	rundll32.exe
43	1096	rundll32.exe
44	1096	rundll32.exe
45	1096	rundll32.exe
46	1096	rundll32.exe
47	1096	rundll32.exe
48	1096	rundll32.exe
51	1096	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1600	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	27
PID 692 wrote to memory of 1600	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	27
PID 692 wrote to memory of 1600	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	27
PID 692 wrote to memory of 1600	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	27
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28
PID 692 wrote to memory of 1096	692	9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe	28

C:\Users\Admin\AppData\Local\Temp\9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe
"C:\Users\Admin\AppData\Local\Temp\9e2e09592af42e6493216ccfa7b4c8d9e6a09249082edfdbdcd293cb5a8f1e9a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\AdapterTroubleshooter.exe
  C:\Windows\system32\AdapterTroubleshooter.exe
  2⤵
  PID:1600
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-62-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/692-55-0x0000000000720000-0x000000000083B000-memory.dmp

Filesize
1.1MB

Download
memory/692-104-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/692-54-0x0000000000720000-0x000000000083B000-memory.dmp

Filesize
1.1MB

Download
memory/692-58-0x0000000001F70000-0x000000000222B000-memory.dmp

Filesize
2.7MB

Download
memory/692-59-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/692-60-0x0000000000720000-0x000000000083B000-memory.dmp

Filesize
1.1MB

Download
memory/692-61-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1096-66-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1096-96-0x00000000000E0000-0x00000000000E4000-memory.dmp

Filesize
16KB

Download
memory/1096-103-0x0000000000150000-0x0000000000154000-memory.dmp

Filesize
16KB

Download
memory/1096-95-0x00000000000D0000-0x00000000000D4000-memory.dmp

Filesize
16KB

Download
memory/1096-94-0x00000000000C0000-0x00000000000C4000-memory.dmp

Filesize
16KB

Download
memory/1096-97-0x00000000000F0000-0x00000000000F4000-memory.dmp

Filesize
16KB

Download
memory/1096-64-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1096-99-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/1096-98-0x0000000000100000-0x0000000000104000-memory.dmp

Filesize
16KB

Download
memory/1096-100-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/1096-101-0x0000000000130000-0x0000000000134000-memory.dmp

Filesize
16KB

Download
memory/1096-102-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/1600-57-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads