danabot | 59373e55e84ab54d72a9055139cdd5f616cf20d675c80a6f43d0187e90708e95

Analysis

max time kernel
112s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 14:31

Target

59373e55e84ab54d72a9055139cdd5f616cf20d675c80a6f43d0187e90708e95.dll
Size

2.4MB
MD5

9063f431865e37cebc4787654a00d422
SHA1

28c42d6109dfd329580aa36e7c75a8053523ee8a
SHA256

59373e55e84ab54d72a9055139cdd5f616cf20d675c80a6f43d0187e90708e95
SHA512

4f276fcecbcec0cca1a6addfee3493a38038157cf1c4e176c766aaae9b758cd6010b1de5930077e14635762dcd1502602456797789c6e1fb337c1d76e454dc42
SSDEEP

49152:zrqVHNsAsWe8AdaSTBfA3XGGuGqTN8LxZ:zaPenfA32h8Lz

Score

10^/10

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4488 wrote to memory of 1064	4488	rundll32.exe	rundll32.exe
PID 4488 wrote to memory of 1064	4488	rundll32.exe	rundll32.exe
PID 4488 wrote to memory of 1064	4488	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59373e55e84ab54d72a9055139cdd5f616cf20d675c80a6f43d0187e90708e95.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59373e55e84ab54d72a9055139cdd5f616cf20d675c80a6f43d0187e90708e95.dll,#1
2⤵
PID:1064

memory/1064-132-0x0000000000000000-mapping.dmp

Download
memory/1064-133-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/1064-134-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download