danabot | 3c825d5a2cc6da2b923f3bba6ba850295e0e23ca8ddad1f716d859d585c225e6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Faktura.PDF.exe
Size

3.2MB
MD5

5da162eebc4d19470d96c9138eef7c1b
SHA1

674fae4a60d3040bf962c8ff0af5bd14bcb9ed9e
SHA256

3c825d5a2cc6da2b923f3bba6ba850295e0e23ca8ddad1f716d859d585c225e6
SHA512

08efaea6cc218b873b23727ca6f72f06460dc5b1d3ab6af2a551f5ce6d3ea796a10112c1ab88c8e82744b614b778b239eef7ed1b3805f14c9a3a96844b3535e8
SSDEEP

98304:tjeA5Hw2+x3MOITGA2ZgtMvhjvsSk3SU7iio:heA5H9AIythjvm3lo

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

136.167.173.24

73.114.1.155

45.172.198.33

100.88.36.122

106.127.134.181

195.123.220.45

151.236.14.84

198.102.202.22

19.121.241.168

222.30.140.7

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Faktura.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\Faktura.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\Faktura.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\Faktura.dll	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
15	2252	rundll32.exe
17	2252	rundll32.exe
30	2252	rundll32.exe
36	2252	rundll32.exe
37	2252	rundll32.exe
40	2252	rundll32.exe
42	2252	rundll32.exe
43	2252	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4964 regsvr32.exe
2252 rundll32.exe
2252 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2376 4988 WerFault.exe Faktura.PDF.exe

pid	process
4964	regsvr32.exe
2252	rundll32.exe
2252	rundll32.exe

pid	pid_target	process	target process
2376	4988	WerFault.exe	Faktura.PDF.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Faktura.PDF.exeregsvr32.exe

description	pid	process	target process
PID 4988 wrote to memory of 4964	4988	Faktura.PDF.exe	regsvr32.exe
PID 4988 wrote to memory of 4964	4988	Faktura.PDF.exe	regsvr32.exe
PID 4988 wrote to memory of 4964	4988	Faktura.PDF.exe	regsvr32.exe
PID 4964 wrote to memory of 2252	4964	regsvr32.exe	rundll32.exe
PID 4964 wrote to memory of 2252	4964	regsvr32.exe	rundll32.exe
PID 4964 wrote to memory of 2252	4964	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\Faktura.dll f1 C:\Users\Admin\AppData\Local\Temp\FAKTUR~1.EXE@4988
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Faktura.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 424
2⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 4988
1⤵
PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Faktura.dll
Filesize
1.3MB

MD5
d84c213b9d5f4c7d747f772524972cc6

SHA1
870e13b0eed7d595edc30d6680f402790176a6b2

SHA256
fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b

SHA512
d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Faktura.dll
Filesize
1.3MB

MD5
d84c213b9d5f4c7d747f772524972cc6

SHA1
870e13b0eed7d595edc30d6680f402790176a6b2

SHA256
fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b

SHA512
d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Faktura.dll
Filesize
1.3MB

MD5
d84c213b9d5f4c7d747f772524972cc6

SHA1
870e13b0eed7d595edc30d6680f402790176a6b2

SHA256
fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b

SHA512
d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Faktura.dll
Filesize
1.3MB

MD5
d84c213b9d5f4c7d747f772524972cc6

SHA1
870e13b0eed7d595edc30d6680f402790176a6b2

SHA256
fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b

SHA512
d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b

Download Submit
memory/2252-140-0x0000000000000000-mapping.dmp

Download
memory/2252-143-0x0000000002C50000-0x0000000002DB5000-memory.dmp

Filesize
1.4MB

Download
memory/4964-137-0x0000000000000000-mapping.dmp

Download
memory/4988-135-0x0000000002C60000-0x0000000002EB0000-memory.dmp

Filesize
2.3MB

Download
memory/4988-136-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4988-134-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/4988-133-0x0000000002C60000-0x0000000002EB0000-memory.dmp

Filesize
2.3MB

Download
memory/4988-132-0x0000000002A0A000-0x0000000002BC8000-memory.dmp

Filesize
1.7MB

Download
memory/4988-144-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download