danabot | 9ccc3410d3a38cffb1050dd9117262cfde5820c8205ab3d0d7579c320bffb183

General

Target

9c30eabfd6695f58f2b710f56b8b3927.exe
Size

1.3MB
MD5

9c30eabfd6695f58f2b710f56b8b3927
SHA1

b13e40b1c25c426f8d60211e45bbf5ab2a737623
SHA256

9ccc3410d3a38cffb1050dd9117262cfde5820c8205ab3d0d7579c320bffb183
SHA512

c6b548061da841c9e03490a0122874fef61d44ad99f61a9ade31068b32c6008f5dea11ace30a478544767a823189581b64b42a5055b93d1214860df6eef73cb5
SSDEEP

24576:CxDbmMW55xj7yxz76JgzFoy5avPZhOKCK9yXTh3KkA:CxPmMWnNyxH6OzVGPaKC3xK3

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 24 IoCs

Processes:

rundll32.exe

flow	pid	process
3	900	rundll32.exe
5	900	rundll32.exe
7	900	rundll32.exe
8	900	rundll32.exe
9	900	rundll32.exe
10	900	rundll32.exe
11	900	rundll32.exe
12	900	rundll32.exe
13	900	rundll32.exe
14	900	rundll32.exe
15	900	rundll32.exe
16	900	rundll32.exe
17	900	rundll32.exe
18	900	rundll32.exe
19	900	rundll32.exe
20	900	rundll32.exe
21	900	rundll32.exe
22	900	rundll32.exe
23	900	rundll32.exe
24	900	rundll32.exe
25	900	rundll32.exe
26	900	rundll32.exe
27	900	rundll32.exe
28	900	rundll32.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

9c30eabfd6695f58f2b710f56b8b3927.exe

description	pid	process	target process
PID 1584 wrote to memory of 1772	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	AdapterTroubleshooter.exe
PID 1584 wrote to memory of 1772	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	AdapterTroubleshooter.exe
PID 1584 wrote to memory of 1772	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	AdapterTroubleshooter.exe
PID 1584 wrote to memory of 1772	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	AdapterTroubleshooter.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe
PID 1584 wrote to memory of 900	1584	9c30eabfd6695f58f2b710f56b8b3927.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9c30eabfd6695f58f2b710f56b8b3927.exe
"C:\Users\Admin\AppData\Local\Temp\9c30eabfd6695f58f2b710f56b8b3927.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
2⤵
PID:1772

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-125-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/900-123-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/900-120-0x0000000000000000-mapping.dmp

Download
memory/900-66-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/900-129-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/900-128-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/900-127-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/900-126-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/900-122-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/900-64-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/900-131-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/900-124-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1584-60-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/1584-62-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/1584-56-0x0000000004740000-0x0000000004A0C000-memory.dmp

Filesize
2.8MB

Download
memory/1584-54-0x0000000002E30000-0x0000000002F51000-memory.dmp

Filesize
1.1MB

Download
memory/1584-61-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/1584-55-0x0000000002E30000-0x0000000002F51000-memory.dmp

Filesize
1.1MB

Download
memory/1584-59-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/1584-130-0x0000000000400000-0x0000000002D3A000-memory.dmp

Filesize
41.2MB

Download
memory/1772-58-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1772-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing