danabot | 79c78c566a3eef320ab9b6df4da247462250acd908e98be22461929b3fe4ec39

General

Target

07828a66286c07d883d03fbac1c7d628.exe
Size

1.1MB
MD5

07828a66286c07d883d03fbac1c7d628
SHA1

64721c7e154f07841dd2e30a95dcf3a23033590f
SHA256

79c78c566a3eef320ab9b6df4da247462250acd908e98be22461929b3fe4ec39
SHA512

2c9638990c8088442d2847f3f45d7ccebeed4d0bef0a52f7761a8a4e81be53e683aa3350c617456e10c4d4bb18a205627f7b7169d1f69330cb57a2c5e13cfd6f
SSDEEP

24576:rhxjcpMRNv57ENuzPFUob5/qFKGtd8HjW0YBXoX+jE:rNR77EoX5/qwGjk+Y+jE

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\07828A~1.DLL	DanabotLoader2021
behavioral1/memory/1720-13-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-14-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-22-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-23-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-24-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-25-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-26-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-27-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-28-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021
behavioral1/memory/1720-29-0x0000000000550000-0x00000000006B1000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1720 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1720 rundll32.exe
1720 rundll32.exe
1720 rundll32.exe
1720 rundll32.exe

flow	pid	process
2	1720	rundll32.exe

pid	process
1720	rundll32.exe
1720	rundll32.exe
1720	rundll32.exe
1720	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

07828a66286c07d883d03fbac1c7d628.exe

description	pid	process	target process
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe
PID 1572 wrote to memory of 1720	1572	07828a66286c07d883d03fbac1c7d628.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\07828a66286c07d883d03fbac1c7d628.exe
"C:\Users\Admin\AppData\Local\Temp\07828a66286c07d883d03fbac1c7d628.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\07828A~1.DLL,s C:\Users\Admin\AppData\Local\Temp\07828A~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07828A~1.DLL
Filesize
1.3MB

MD5
3c0e7683048f8b9fa2e994bac9f0cdd6

SHA1
2465736294a69d6527b204bb13df01a4f187382f

SHA256
1e42a88d963e3855f106ca031aece2f473e816e5060fef59a0221fde58fd0ca8

SHA512
42ac823111f489fc89b469e615a1ee0abfdafe48569d43c0045a5a33f85181e07e8cb6b9c20477a7b97c0d19ac26055437ff6a339b2775ab09f621525a7bad79

Download Submit
memory/1572-0-0x00000000009C0000-0x0000000000AAE000-memory.dmp

Filesize
952KB

Download
memory/1572-1-0x00000000009C0000-0x0000000000AAE000-memory.dmp

Filesize
952KB

Download
memory/1572-2-0x0000000000B60000-0x0000000000C65000-memory.dmp

Filesize
1.0MB

Download
memory/1572-3-0x0000000000400000-0x000000000094F000-memory.dmp

Filesize
5.3MB

Download
memory/1572-6-0x0000000000400000-0x000000000094F000-memory.dmp

Filesize
5.3MB

Download
memory/1572-7-0x0000000000B60000-0x0000000000C65000-memory.dmp

Filesize
1.0MB

Download
memory/1720-14-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-13-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-22-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-23-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-24-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-25-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-26-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-27-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-28-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download
memory/1720-29-0x0000000000550000-0x00000000006B1000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing