danabot | 1de272d1038a4da0e2d177520ae647d33a44333e95be0033f7935c2f545d90dc

General

Target

134ba0a636c16478f5af66d7b00882eb.exe
Size

1.1MB
MD5

134ba0a636c16478f5af66d7b00882eb
SHA1

abb04b8b4ff9fb80bab48a9a91add7d51bdaf9bd
SHA256

1de272d1038a4da0e2d177520ae647d33a44333e95be0033f7935c2f545d90dc
SHA512

b71321e7745a535a56da5cdc286c399e89f6e1eca4e1528f73944836d7c5de2277d0d8cf9372b4f5b5d277b5c241d9978ce22e381c024659afd162777615042e
SSDEEP

24576:ej0xZaRe2QNI5yotLfdzXmYA/9HgdNl9vaSz6iMpYh4/y0LK5K65:ej4aAK8Kfdz7dXzjCYm60LKn5

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.254.144.209:443

23.254.227.74:443

192.255.166.212:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 13 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\134BA0~1.DLL	DanabotLoader2021
behavioral2/memory/1780-139-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\134BA0~1.EXE.dll	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\134BA0~1.EXE.dll	DanabotLoader2021
behavioral2/memory/1780-142-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-150-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-151-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-152-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-153-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-154-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-155-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-156-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021
behavioral2/memory/1780-157-0x0000000002000000-0x0000000002162000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

76 1780 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1780 rundll32.exe
1780 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

452 4112 WerFault.exe 134ba0a636c16478f5af66d7b00882eb.exe

flow	pid	process
76	1780	rundll32.exe

pid	process
1780	rundll32.exe
1780	rundll32.exe

pid	pid_target	process	target process
452	4112	WerFault.exe	134ba0a636c16478f5af66d7b00882eb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

134ba0a636c16478f5af66d7b00882eb.exe

description	pid	process	target process
PID 4112 wrote to memory of 1780	4112	134ba0a636c16478f5af66d7b00882eb.exe	rundll32.exe
PID 4112 wrote to memory of 1780	4112	134ba0a636c16478f5af66d7b00882eb.exe	rundll32.exe
PID 4112 wrote to memory of 1780	4112	134ba0a636c16478f5af66d7b00882eb.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\134ba0a636c16478f5af66d7b00882eb.exe
"C:\Users\Admin\AppData\Local\Temp\134ba0a636c16478f5af66d7b00882eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\134BA0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\134BA0~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 512
2⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4112 -ip 4112
1⤵
PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\134BA0~1.DLL
Filesize
1.3MB

MD5
40634b875fdd8d555d9db662f4e743a8

SHA1
b652123b67d829f3fdf4bbb0fadfb4a4aac39fc1

SHA256
43e8d383ee1f79c0864c0111fd2dddec210d5c4e952796a434b43896875fe8fe

SHA512
ef07658ff5cf74d2d7faf1ecd729827acf6641950f09de3e6c280dabffafeab0a486559e92e102184647f8aa53b163f15ffeacaf5211bce0b5eaa01644b3f70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\134BA0~1.EXE.dll
Filesize
1.3MB

MD5
40634b875fdd8d555d9db662f4e743a8

SHA1
b652123b67d829f3fdf4bbb0fadfb4a4aac39fc1

SHA256
43e8d383ee1f79c0864c0111fd2dddec210d5c4e952796a434b43896875fe8fe

SHA512
ef07658ff5cf74d2d7faf1ecd729827acf6641950f09de3e6c280dabffafeab0a486559e92e102184647f8aa53b163f15ffeacaf5211bce0b5eaa01644b3f70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\134BA0~1.EXE.dll
Filesize
1.3MB

MD5
40634b875fdd8d555d9db662f4e743a8

SHA1
b652123b67d829f3fdf4bbb0fadfb4a4aac39fc1

SHA256
43e8d383ee1f79c0864c0111fd2dddec210d5c4e952796a434b43896875fe8fe

SHA512
ef07658ff5cf74d2d7faf1ecd729827acf6641950f09de3e6c280dabffafeab0a486559e92e102184647f8aa53b163f15ffeacaf5211bce0b5eaa01644b3f70c

Download Submit
memory/1780-142-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-139-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-150-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-151-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-152-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-153-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-154-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-155-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-156-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/1780-157-0x0000000002000000-0x0000000002162000-memory.dmp

Filesize
1.4MB

Download
memory/4112-140-0x00000000025B0000-0x00000000026B4000-memory.dmp

Filesize
1.0MB

Download
memory/4112-141-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing