danabot | 39d9c0de3117b7c40a61ca01e0a3f9144be9236e0918eae950121c13250b529e

General

Target

bcefa9f449147383a7af69701c94f5fc.dll
Size

2.3MB
MD5

bcefa9f449147383a7af69701c94f5fc
SHA1

30d857b7babc1da2c663034c393276a940df2ebe
SHA256

39d9c0de3117b7c40a61ca01e0a3f9144be9236e0918eae950121c13250b529e
SHA512

34e9e8f22db182505a6f1338403fe1b6d1c3a9bc54963fc3c799a03e73dbef98950bc314a236423bdfd61afeb959eb34aa904efa367639d74d00482ffcf8ce15
SSDEEP

49152:HhKuFUNe7igoCT4rjd+UYoARFiChl+pg/OtJAS5NjOE7fMXz6q0f:SGuFQo8FiChNOYqh7A

Score

10^/10

danabot 11 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

11

C2

139.59.105.161:443

35.240.181.236:443

Attributes

embedded_hash
A7F76C8DA744F4E54810724819AFFFE9
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2932-51-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-52-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-53-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-54-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-55-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-56-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-57-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-58-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-59-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-60-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-61-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-62-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-63-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-64-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-65-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-66-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2932-67-0x0000000010000000-0x000000001025C000-memory.dmp	DanabotLoader2021

Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\win.ini regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 2932	1268	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bcefa9f449147383a7af69701c94f5fc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\bcefa9f449147383a7af69701c94f5fc.dll
2⤵
- Drops file in Windows directory
PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
485B

MD5
fd67c95e460d7c9366c5a8e622beb40d

SHA1
18f6a0074d621d5fbe3046114284a997ffc46da8

SHA256
d7a5d50a1666fcb0fddbbaaf0826034f2968b01e665f0db763460708744542b6

SHA512
92d3ba9d665540a8cc703444fff6e266b7a34968162cd103eb96345e685d594a6dc86a8223a417730da2d1e66f508f53a9a46664fd31d7001b37d9620d4c700b

Download Submit
memory/2932-50-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-51-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-52-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-53-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-54-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-55-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-56-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-57-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-58-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-59-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-60-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-61-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-62-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-63-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-64-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-65-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-66-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download
memory/2932-67-0x0000000010000000-0x000000001025C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing