danabot | 9f4287cdb91e820fac11434ec96ebfa1d19780863aff52c3db71726d21e841f1

General

Target

CA94B3C5AAD3083333D2A146E9F3F77B.exe
Size

2.2MB
MD5

ca94b3c5aad3083333d2a146e9f3f77b
SHA1

8f68f5ab7f2326764391552a2f0c71c347b24c30
SHA256

9f4287cdb91e820fac11434ec96ebfa1d19780863aff52c3db71726d21e841f1
SHA512

fd70b9a7f49ac993953285d44eba0a65fac5ba914de1393f20ba2748a0a93258a6c6c8dac051b3e4676745bcd38e6e7f398b01936ca76d665ccaf26cbef765ba
SSDEEP

49152:Xn5YOIqY8v6jDzSfIGG40COiuzFibk2MElu05GdwSSt:Xs8v8fSzOgb3vmwZt

Score

10^/10

danabot 53 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

53

C2

176.126.113.94:443

85.208.184.5:443

Attributes

embedded_hash
0904D576D3E3892F5B164DEE5EF8790B
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 38 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1528	rundll32.exe
5	1528	rundll32.exe
6	1528	rundll32.exe
7	1528	rundll32.exe
8	1528	rundll32.exe
9	1528	rundll32.exe
10	1528	rundll32.exe
11	1528	rundll32.exe
12	1528	rundll32.exe
13	1528	rundll32.exe
14	1528	rundll32.exe
15	1528	rundll32.exe
16	1528	rundll32.exe
17	1528	rundll32.exe
18	1528	rundll32.exe
19	1528	rundll32.exe
20	1528	rundll32.exe
21	1528	rundll32.exe
22	1528	rundll32.exe
23	1528	rundll32.exe
24	1528	rundll32.exe
25	1528	rundll32.exe
26	1528	rundll32.exe
27	1528	rundll32.exe
28	1528	rundll32.exe
29	1528	rundll32.exe
30	1528	rundll32.exe
31	1528	rundll32.exe
32	1528	rundll32.exe
33	1528	rundll32.exe
34	1528	rundll32.exe
35	1528	rundll32.exe
36	1528	rundll32.exe
37	1528	rundll32.exe
38	1528	rundll32.exe
39	1528	rundll32.exe
40	1528	rundll32.exe
41	1528	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CA94B3C5AAD3083333D2A146E9F3F77B.exe

pid process

892 CA94B3C5AAD3083333D2A146E9F3F77B.exe

pid	process
892	CA94B3C5AAD3083333D2A146E9F3F77B.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

CA94B3C5AAD3083333D2A146E9F3F77B.exe

description	pid	process	target process
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 892 wrote to memory of 1528	892	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\CA94B3C5AAD3083333D2A146E9F3F77B.exe
"C:\Users\Admin\AppData\Local\Temp\CA94B3C5AAD3083333D2A146E9F3F77B.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-56-0x0000000003F10000-0x0000000004139000-memory.dmp

Filesize
2.2MB

Download
memory/892-67-0x0000000003F10000-0x0000000004139000-memory.dmp

Filesize
2.2MB

Download
memory/892-68-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/892-139-0x0000000003F10000-0x0000000004139000-memory.dmp

Filesize
2.2MB

Download
memory/1528-129-0x0000000000100000-0x0000000000104000-memory.dmp

Filesize
16KB

Download
memory/1528-132-0x0000000000170000-0x0000000000174000-memory.dmp

Filesize
16KB

Download
memory/1528-125-0x00000000000C0000-0x00000000000C4000-memory.dmp

Filesize
16KB

Download
memory/1528-126-0x00000000000D0000-0x00000000000D4000-memory.dmp

Filesize
16KB

Download
memory/1528-127-0x00000000000E0000-0x00000000000E4000-memory.dmp

Filesize
16KB

Download
memory/1528-128-0x00000000000F0000-0x00000000000F4000-memory.dmp

Filesize
16KB

Download
memory/1528-71-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1528-130-0x0000000000150000-0x0000000000154000-memory.dmp

Filesize
16KB

Download
memory/1528-131-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/1528-123-0x0000000000000000-mapping.dmp

Download
memory/1528-133-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/1528-134-0x0000000000190000-0x0000000000194000-memory.dmp

Filesize
16KB

Download
memory/1528-135-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/1528-136-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/1528-137-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1528-138-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1528-69-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1528-140-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing