Overview

overview

10

Static

static

Faktura.PDF.exe

windows7-x64

10

Faktura.PDF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2022 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Faktura.PDF.exe

  • Size

    3.2MB

  • MD5

    5da162eebc4d19470d96c9138eef7c1b

  • SHA1

    674fae4a60d3040bf962c8ff0af5bd14bcb9ed9e

  • SHA256

    3c825d5a2cc6da2b923f3bba6ba850295e0e23ca8ddad1f716d859d585c225e6

  • SHA512

    08efaea6cc218b873b23727ca6f72f06460dc5b1d3ab6af2a551f5ce6d3ea796a10112c1ab88c8e82744b614b778b239eef7ed1b3805f14c9a3a96844b3535e8

  • SSDEEP

    98304:tjeA5Hw2+x3MOITGA2ZgtMvhjvsSk3SU7iio:heA5H9AIythjvm3lo

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

136.167.173.24

73.114.1.155

45.172.198.33

100.88.36.122

106.127.134.181

195.123.220.45

151.236.14.84

198.102.202.22

19.121.241.168

222.30.140.7
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 6 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\Faktura.dll f1 C:\Users\Admin\AppData\Local\Temp\FAKTUR~1.EXE@1768
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Faktura.dll,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Faktura.dll
    Filesize

    1.3MB

    MD5

    46129d77bca64325bf25b85b56915dd5

    SHA1

    12ff543e9cf3d1fcebbb7672457c6b5435c770e9

    SHA256

    4a8008bcc63b512385d468be8422cdbd41e07a7a4e2c25af856a3c67297f9346

    SHA512

    c9907742dea5ff3f489ad07f4899e5f895229e22b35946dbd9dd7831eb3f5363035b8b7d7fd0184e11edc987bdb1500e09231211da0c1c56dbce6499f3c2ed81

    Download Submit
  • memory/1624-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-70-0x0000000000880000-0x00000000009E5000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1768-60-0x0000000000400000-0x000000000074A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1768-57-0x0000000000400000-0x000000000074A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1768-54-0x0000000002560000-0x00000000027B3000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1768-56-0x00000000027C0000-0x0000000002A10000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1768-55-0x0000000002560000-0x000000000271E000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2032-59-0x0000000076961000-0x0000000076963000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2032-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-63-0x0000000001F50000-0x00000000020B5000-memory.dmp
    Filesize

    1.4MB

    Download