danabot | 87d81ffeb04f8d1d4107c7c870fb3f52b4540f9e61addbedc920cabd81dd82b7

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68a6707917bb90040755111aa42b5054.exe
Size

1.1MB
MD5

68a6707917bb90040755111aa42b5054
SHA1

106c9280bf1a309de30e203e28d4e8d51f478d84
SHA256

87d81ffeb04f8d1d4107c7c870fb3f52b4540f9e61addbedc920cabd81dd82b7
SHA512

5992a58b39b0ce1ee42f4d15b582ffe488c8b58f8df00dd9053610f2a3cf03610025652bb8fd8559ed94d9931c4c63775615cebf87096adc2e8b78a8d26a7bcc
SSDEEP

24576:GyOjo7TdoacVRj2ZpVzT1h7WFPsxipZzabkns9ezUgD6Chr:JeVtEnTcvzaHGH7

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

resource	yara_rule
behavioral2/memory/2308-9-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/files/0x000a00000002314f-8.dat	DanabotLoader2021
behavioral2/files/0x000a00000002314f-7.dat	DanabotLoader2021
behavioral2/files/0x000a00000002314f-6.dat	DanabotLoader2021
behavioral2/memory/2308-12-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-20-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-21-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-23-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-25-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-26-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2308-27-0x0000000002500000-0x000000000265F000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
77	2308	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	rundll32.exe
2308	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3788	1816	WerFault.exe	17

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2308	1816	68a6707917bb90040755111aa42b5054.exe	68
PID 1816 wrote to memory of 2308	1816	68a6707917bb90040755111aa42b5054.exe	68
PID 1816 wrote to memory of 2308	1816	68a6707917bb90040755111aa42b5054.exe	68

C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe
"C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP,S C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 448
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1816 -ip 1816
1⤵
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE.tmp

Filesize
88KB

MD5
c2b99087d68d211238d87cc4c8c688ec

SHA1
0a45cd9fbdd93c654f23a7f2b2ec98ddd8fa1adf

SHA256
9d55da904c4d515269f32cf0c1399defff0b4340f0dd11f30d0a86394f6daa6b

SHA512
08666eeb8b1e98684fbdc8a87de259ca933ff57240d40810a3bda8c7cd3ac7e9d3d9072df7a4b2237e98e046517ee955c775d57361eb0c6f9e4f6bdc4686a91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE.tmp

Filesize
82KB

MD5
002a2819b337c4ae1ab363cb537cd60d

SHA1
2fe4b5d53b5d841c93804186281639d1422460d7

SHA256
18df3ccaab2c689f5f8a0369e28f78ed45bf1ab25f0ecf28e9897bae0fdcc59a

SHA512
28bbe9641cd78ad5901c66ac340166a59b36e1017d51111520298203f06304a5ee958053d71b1b8cb2f8b837c0ebb138e61a915798030292d64ac445c28571ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP

Filesize
139KB

MD5
b725a7ef7e7d1ecca0100c999247b447

SHA1
01994fb7ed15b5ce16e8503171887c34219b5f96

SHA256
21c55a8b5cc268c3f764d14e45f30d2c1f6de016f7089e5ecb0c8757d012e1ec

SHA512
6664dc56d31aceba414c47541828f3e050b0a130342cb889a984f87e1cc267b15dd9d67e9df0944429d6b2b2e5954daba493829f038dd1b0344cda1870dd958d

Download Submit
memory/1816-10-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1816-2-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/1816-3-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1816-1-0x0000000002310000-0x00000000023FF000-memory.dmp

Filesize
956KB

Download
memory/1816-11-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/2308-20-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-12-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-9-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-21-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-22-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-23-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-24-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-25-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-26-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download
memory/2308-27-0x0000000002500000-0x000000000265F000-memory.dmp

Filesize
1.4MB

Download