danabot | 9f4287cdb91e820fac11434ec96ebfa1d19780863aff52c3db71726d21e841f1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CA94B3C5AAD3083333D2A146E9F3F77B.exe
Size

2.2MB
MD5

ca94b3c5aad3083333d2a146e9f3f77b
SHA1

8f68f5ab7f2326764391552a2f0c71c347b24c30
SHA256

9f4287cdb91e820fac11434ec96ebfa1d19780863aff52c3db71726d21e841f1
SHA512

fd70b9a7f49ac993953285d44eba0a65fac5ba914de1393f20ba2748a0a93258a6c6c8dac051b3e4676745bcd38e6e7f398b01936ca76d665ccaf26cbef765ba
SSDEEP

49152:Xn5YOIqY8v6jDzSfIGG40COiuzFibk2MElu05GdwSSt:Xs8v8fSzOgb3vmwZt

Score

10^/10

danabot 53 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

176.126.113.94:443

85.208.184.5:443

Attributes

embedded_hash
0904D576D3E3892F5B164DEE5EF8790B
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 34 IoCs

Processes:

rundll32.exe

flow	pid	process
38	3580	rundll32.exe
39	3580	rundll32.exe
43	3580	rundll32.exe
46	3580	rundll32.exe
47	3580	rundll32.exe
48	3580	rundll32.exe
49	3580	rundll32.exe
52	3580	rundll32.exe
53	3580	rundll32.exe
54	3580	rundll32.exe
55	3580	rundll32.exe
56	3580	rundll32.exe
57	3580	rundll32.exe
58	3580	rundll32.exe
59	3580	rundll32.exe
60	3580	rundll32.exe
62	3580	rundll32.exe
63	3580	rundll32.exe
64	3580	rundll32.exe
65	3580	rundll32.exe
66	3580	rundll32.exe
67	3580	rundll32.exe
68	3580	rundll32.exe
69	3580	rundll32.exe
70	3580	rundll32.exe
71	3580	rundll32.exe
72	3580	rundll32.exe
73	3580	rundll32.exe
74	3580	rundll32.exe
75	3580	rundll32.exe
76	3580	rundll32.exe
77	3580	rundll32.exe
78	3580	rundll32.exe
79	3580	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CA94B3C5AAD3083333D2A146E9F3F77B.exe

pid process

4964 CA94B3C5AAD3083333D2A146E9F3F77B.exe

pid	process
4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

CA94B3C5AAD3083333D2A146E9F3F77B.exe

description	pid	process	target process
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe
PID 4964 wrote to memory of 3580	4964	CA94B3C5AAD3083333D2A146E9F3F77B.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\CA94B3C5AAD3083333D2A146E9F3F77B.exe
"C:\Users\Admin\AppData\Local\Temp\CA94B3C5AAD3083333D2A146E9F3F77B.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:3580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3580-149-0x0000000000000000-mapping.dmp

Download
memory/3580-150-0x0000000001230000-0x0000000001233000-memory.dmp

Filesize
12KB

Download
memory/3580-151-0x0000000001240000-0x0000000001243000-memory.dmp

Filesize
12KB

Download
memory/3580-153-0x0000000001240000-0x0000000001243000-memory.dmp

Filesize
12KB

Download
memory/4964-137-0x0000000003880000-0x0000000003AA9000-memory.dmp

Filesize
2.2MB

Download
memory/4964-148-0x0000000003880000-0x0000000003AA9000-memory.dmp

Filesize
2.2MB

Download
memory/4964-152-0x0000000003880000-0x0000000003AA9000-memory.dmp

Filesize
2.2MB

Download