danabot | efea506aa6c712ac7962165447a333bdab624754e6eb313def41fca4777e84c9

General

Target

dc66de46dd397c1e800638e1bcf5021d.exe
Size

1.3MB
MD5

dc66de46dd397c1e800638e1bcf5021d
SHA1

120d14d14478f8d14611d04b5dc2645c7a4d63e7
SHA256

efea506aa6c712ac7962165447a333bdab624754e6eb313def41fca4777e84c9
SHA512

ff2710cf22f3daaf2ab575a0d2bab995d8f3383d9f3f12e36c6c398c1d9a5c8faf4d5ad084d636e4f86388ce4275a2c926af603dcd0f3b9425b6bf9d7aa45217
SSDEEP

24576:a9NtRjf+f3mBI/mPU37QO4AdxmUq2omqBoI+0l7lI2U9HoP:a9NffKOI/fxhomCrxW2kIP

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 24 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1492	rundll32.exe
6	1492	rundll32.exe
7	1492	rundll32.exe
8	1492	rundll32.exe
9	1492	rundll32.exe
10	1492	rundll32.exe
11	1492	rundll32.exe
12	1492	rundll32.exe
13	1492	rundll32.exe
14	1492	rundll32.exe
15	1492	rundll32.exe
16	1492	rundll32.exe
17	1492	rundll32.exe
18	1492	rundll32.exe
19	1492	rundll32.exe
20	1492	rundll32.exe
21	1492	rundll32.exe
22	1492	rundll32.exe
23	1492	rundll32.exe
24	1492	rundll32.exe
25	1492	rundll32.exe
26	1492	rundll32.exe
27	1492	rundll32.exe
28	1492	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

dc66de46dd397c1e800638e1bcf5021d.exe

description	pid	process	target process
PID 1096 wrote to memory of 1628	1096	dc66de46dd397c1e800638e1bcf5021d.exe	AdapterTroubleshooter.exe
PID 1096 wrote to memory of 1628	1096	dc66de46dd397c1e800638e1bcf5021d.exe	AdapterTroubleshooter.exe
PID 1096 wrote to memory of 1628	1096	dc66de46dd397c1e800638e1bcf5021d.exe	AdapterTroubleshooter.exe
PID 1096 wrote to memory of 1628	1096	dc66de46dd397c1e800638e1bcf5021d.exe	AdapterTroubleshooter.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe
PID 1096 wrote to memory of 1492	1096	dc66de46dd397c1e800638e1bcf5021d.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dc66de46dd397c1e800638e1bcf5021d.exe
"C:\Users\Admin\AppData\Local\Temp\dc66de46dd397c1e800638e1bcf5021d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
2⤵
PID:1628

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-60-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-62-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-70-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-57-0x0000000002E70000-0x0000000002F91000-memory.dmp

Filesize
1.1MB

Download
memory/1096-58-0x0000000004760000-0x0000000004A2C000-memory.dmp

Filesize
2.8MB

Download
memory/1096-59-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-54-0x0000000002E70000-0x0000000002F91000-memory.dmp

Filesize
1.1MB

Download
memory/1492-63-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/1492-65-0x0000000000000000-mapping.dmp

Download
memory/1492-67-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1492-68-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1492-69-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/1492-71-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/1628-55-0x0000000000000000-mapping.dmp

Download
memory/1628-56-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing