danabot | 804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/12/2022, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e10b6107066da8b83187a14c8b68b23.exe
Size

2.4MB
MD5

6e10b6107066da8b83187a14c8b68b23
SHA1

bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256

804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA512

6f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461
SSDEEP

49152:jp3TkvTxVW0z7cby/T8uzPI57F0KaCz2avq7aYm:gWMBzPI57F03C5Ym

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1996	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe
1996	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26
PID 544 wrote to memory of 1996	544	6e10b6107066da8b83187a14c8b68b23.exe	26

C:\Users\Admin\AppData\Local\Temp\6e10b6107066da8b83187a14c8b68b23.exe
"C:\Users\Admin\AppData\Local\Temp\6e10b6107066da8b83187a14c8b68b23.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
8d7aeaa6588cacdfc10b411a0a673a59

SHA1
cebc2ea9346b6ddbedea9a978b879e22d059c380

SHA256
a9be90c90c6af4184a258238ab2797e539bf611775bf22da1d649cadabde7d51

SHA512
d89f8a527812057ef3eb1c2b5be3a9a41e69e19ebe9663344d2891e9f797c106f0fa7ef57ec5960cf1b1632c3a91f64802fb79658fc1115bec32b850a1d46231

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
8d7aeaa6588cacdfc10b411a0a673a59

SHA1
cebc2ea9346b6ddbedea9a978b879e22d059c380

SHA256
a9be90c90c6af4184a258238ab2797e539bf611775bf22da1d649cadabde7d51

SHA512
d89f8a527812057ef3eb1c2b5be3a9a41e69e19ebe9663344d2891e9f797c106f0fa7ef57ec5960cf1b1632c3a91f64802fb79658fc1115bec32b850a1d46231

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
8d7aeaa6588cacdfc10b411a0a673a59

SHA1
cebc2ea9346b6ddbedea9a978b879e22d059c380

SHA256
a9be90c90c6af4184a258238ab2797e539bf611775bf22da1d649cadabde7d51

SHA512
d89f8a527812057ef3eb1c2b5be3a9a41e69e19ebe9663344d2891e9f797c106f0fa7ef57ec5960cf1b1632c3a91f64802fb79658fc1115bec32b850a1d46231

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
8d7aeaa6588cacdfc10b411a0a673a59

SHA1
cebc2ea9346b6ddbedea9a978b879e22d059c380

SHA256
a9be90c90c6af4184a258238ab2797e539bf611775bf22da1d649cadabde7d51

SHA512
d89f8a527812057ef3eb1c2b5be3a9a41e69e19ebe9663344d2891e9f797c106f0fa7ef57ec5960cf1b1632c3a91f64802fb79658fc1115bec32b850a1d46231

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
8d7aeaa6588cacdfc10b411a0a673a59

SHA1
cebc2ea9346b6ddbedea9a978b879e22d059c380

SHA256
a9be90c90c6af4184a258238ab2797e539bf611775bf22da1d649cadabde7d51

SHA512
d89f8a527812057ef3eb1c2b5be3a9a41e69e19ebe9663344d2891e9f797c106f0fa7ef57ec5960cf1b1632c3a91f64802fb79658fc1115bec32b850a1d46231

Download Submit
memory/544-57-0x0000000000A10000-0x0000000000C5B000-memory.dmp

Filesize
2.3MB

Download
memory/544-58-0x00000000021F0000-0x0000000002575000-memory.dmp

Filesize
3.5MB

Download
memory/544-60-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/544-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/544-54-0x0000000000A10000-0x0000000000C5B000-memory.dmp

Filesize
2.3MB

Download
memory/1996-66-0x0000000001FD0000-0x0000000002241000-memory.dmp

Filesize
2.4MB

Download
memory/1996-67-0x0000000001FD0000-0x0000000002241000-memory.dmp

Filesize
2.4MB

Download
memory/1996-68-0x0000000001FD0000-0x0000000002241000-memory.dmp

Filesize
2.4MB

Download