danabot | 295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8

Analysis

max time kernel
88s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb2b15ca73128dbc816ea4ed583119c.exe
Size

2.4MB
MD5

0bb2b15ca73128dbc816ea4ed583119c
SHA1

17d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256

295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512

d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
SSDEEP

49152:iXD0rCNQqajG67hoNMT2yt/bnrs/ddS972dXd43qq6auVL4/J+B:iXD0rCNq/Fn7mdS9ydNzpPVecB

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3400 rundll32.exe
3400 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5048 4456 WerFault.exe 0bb2b15ca73128dbc816ea4ed583119c.exe

pid	process
3400	rundll32.exe
3400	rundll32.exe

pid	pid_target	process	target process
5048	4456	WerFault.exe	0bb2b15ca73128dbc816ea4ed583119c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0bb2b15ca73128dbc816ea4ed583119c.exe

description	pid	process	target process
PID 4456 wrote to memory of 3400	4456	0bb2b15ca73128dbc816ea4ed583119c.exe	rundll32.exe
PID 4456 wrote to memory of 3400	4456	0bb2b15ca73128dbc816ea4ed583119c.exe	rundll32.exe
PID 4456 wrote to memory of 3400	4456	0bb2b15ca73128dbc816ea4ed583119c.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0bb2b15ca73128dbc816ea4ed583119c.exe
"C:\Users\Admin\AppData\Local\Temp\0bb2b15ca73128dbc816ea4ed583119c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Loads dropped DLL
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 480
2⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4456 -ip 4456
1⤵
PID:2176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
ae978613354d7feee71b2ea7ca999d8c

SHA1
137b0205d39c1d63f856f8b7666e0afc592c5922

SHA256
84510975754ef63e6160f3234296af1f7d95ae5d4159d29fc56e802957d15f2a

SHA512
ed86b1c0580bd8ab5be644e34cab8963a70dfe3e8dd79953c4f3bcffc26d7e5a2a387608eb00be97add7a26d477992e76b181efa5f6d19bad2cf876ee261b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
ae978613354d7feee71b2ea7ca999d8c

SHA1
137b0205d39c1d63f856f8b7666e0afc592c5922

SHA256
84510975754ef63e6160f3234296af1f7d95ae5d4159d29fc56e802957d15f2a

SHA512
ed86b1c0580bd8ab5be644e34cab8963a70dfe3e8dd79953c4f3bcffc26d7e5a2a387608eb00be97add7a26d477992e76b181efa5f6d19bad2cf876ee261b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
ae978613354d7feee71b2ea7ca999d8c

SHA1
137b0205d39c1d63f856f8b7666e0afc592c5922

SHA256
84510975754ef63e6160f3234296af1f7d95ae5d4159d29fc56e802957d15f2a

SHA512
ed86b1c0580bd8ab5be644e34cab8963a70dfe3e8dd79953c4f3bcffc26d7e5a2a387608eb00be97add7a26d477992e76b181efa5f6d19bad2cf876ee261b850

Download Submit
memory/3400-134-0x0000000000000000-mapping.dmp

Download
memory/3400-138-0x0000000001F30000-0x00000000021A1000-memory.dmp

Filesize
2.4MB

Download
memory/3400-140-0x0000000001F30000-0x00000000021A1000-memory.dmp

Filesize
2.4MB

Download
memory/3400-141-0x0000000001F30000-0x00000000021A1000-memory.dmp

Filesize
2.4MB

Download
memory/4456-132-0x0000000000A9D000-0x0000000000CE8000-memory.dmp

Filesize
2.3MB

Download
memory/4456-133-0x0000000002690000-0x0000000002A15000-memory.dmp

Filesize
3.5MB

Download
memory/4456-139-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download