danabot | 5f24bfbea3a3c8babe23db472dc1f31910d9f4ecb362867a6ea1848f0f467c1c

Analysis

max time kernel
155s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032c92718337d1071e3e95daac92c4e4.dll
Size

1.4MB
MD5

032c92718337d1071e3e95daac92c4e4
SHA1

44efa024618bbf10ac6ccd4dbd2a14a3bf22fee5
SHA256

5f24bfbea3a3c8babe23db472dc1f31910d9f4ecb362867a6ea1848f0f467c1c
SHA512

d166dfec51b5db403b067f973ea686f69617bff9774cbe85a71f945f7285841907c8b9ce692ae80a35f4e0d8306df9a8364581ce6a58cd0f6ab4b52fbede524e
SSDEEP

24576:YxlVtq2A7bquAuEIJQeQLQy3ke5s4rss/iKXpPetx3T1dISeQI4UdwAh:YxvtOTAxPLzr/iswj1qSA

Score

10^/10

danabot 11 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

164.90.206.160:443

13.53.138.59:443

68.183.95.230:443

Attributes

embedded_hash
2501517960E51AB60E0F53A71826CB28
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-2-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-3-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-4-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-5-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-7-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-8-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-9-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-10-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-11-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-12-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-13-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-14-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-15-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-16-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-17-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-18-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021
behavioral2/memory/3192-19-0x0000000010000000-0x0000000010170000-memory.dmp	DanabotLoader2021

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1332 wrote to memory of 3192	1332	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 3192	1332	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 3192	1332	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\032c92718337d1071e3e95daac92c4e4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\032c92718337d1071e3e95daac92c4e4.dll
2⤵
PID:3192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3192-0-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-1-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3192-2-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-3-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-4-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-5-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-6-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3192-7-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-8-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-9-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-10-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-11-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-12-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-13-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-14-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-15-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-16-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-17-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-18-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download
memory/3192-19-0x0000000010000000-0x0000000010170000-memory.dmp

Filesize
1.4MB

Download