Malware Analysis Report

2024-11-30 14:40

Sample ID 231226-mwxzpahhg2
Target 68a6707917bb90040755111aa42b5054
SHA256 87d81ffeb04f8d1d4107c7c870fb3f52b4540f9e61addbedc920cabd81dd82b7
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87d81ffeb04f8d1d4107c7c870fb3f52b4540f9e61addbedc920cabd81dd82b7

Threat Level: Known bad

The file 68a6707917bb90040755111aa42b5054 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot Loader Component

Danabot

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-26 10:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 10:49

Reported

2024-01-06 10:59

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe

"C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP,S C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 124.244.11.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1816-2-0x0000000002490000-0x0000000002590000-memory.dmp

memory/1816-1-0x0000000002310000-0x00000000023FF000-memory.dmp

memory/1816-3-0x0000000000400000-0x00000000005A1000-memory.dmp

memory/2308-9-0x0000000002500000-0x000000000265F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE.tmp

MD5 002a2819b337c4ae1ab363cb537cd60d
SHA1 2fe4b5d53b5d841c93804186281639d1422460d7
SHA256 18df3ccaab2c689f5f8a0369e28f78ed45bf1ab25f0ecf28e9897bae0fdcc59a
SHA512 28bbe9641cd78ad5901c66ac340166a59b36e1017d51111520298203f06304a5ee958053d71b1b8cb2f8b837c0ebb138e61a915798030292d64ac445c28571ef

C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE.tmp

MD5 c2b99087d68d211238d87cc4c8c688ec
SHA1 0a45cd9fbdd93c654f23a7f2b2ec98ddd8fa1adf
SHA256 9d55da904c4d515269f32cf0c1399defff0b4340f0dd11f30d0a86394f6daa6b
SHA512 08666eeb8b1e98684fbdc8a87de259ca933ff57240d40810a3bda8c7cd3ac7e9d3d9072df7a4b2237e98e046517ee955c775d57361eb0c6f9e4f6bdc4686a91c

C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP

MD5 b725a7ef7e7d1ecca0100c999247b447
SHA1 01994fb7ed15b5ce16e8503171887c34219b5f96
SHA256 21c55a8b5cc268c3f764d14e45f30d2c1f6de016f7089e5ecb0c8757d012e1ec
SHA512 6664dc56d31aceba414c47541828f3e050b0a130342cb889a984f87e1cc267b15dd9d67e9df0944429d6b2b2e5954daba493829f038dd1b0344cda1870dd958d

memory/1816-11-0x0000000002490000-0x0000000002590000-memory.dmp

memory/1816-10-0x0000000000400000-0x00000000005A1000-memory.dmp

memory/2308-12-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-20-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-21-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-22-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-23-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-24-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-25-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-26-0x0000000002500000-0x000000000265F000-memory.dmp

memory/2308-27-0x0000000002500000-0x000000000265F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 10:49

Reported

2024-01-06 10:58

Platform

win7-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe

"C:\Users\Admin\AppData\Local\Temp\68a6707917bb90040755111aa42b5054.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP,S C:\Users\Admin\AppData\Local\Temp\68A670~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/2176-0-0x0000000000300000-0x00000000003EB000-memory.dmp

memory/2176-2-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

memory/2176-1-0x0000000000300000-0x00000000003EB000-memory.dmp

memory/2176-3-0x0000000000400000-0x00000000005A1000-memory.dmp

memory/2176-6-0x0000000000400000-0x00000000005A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68A670~1.TMP

MD5 0e9f49885f4558fe913a23024539375a
SHA1 6913a3c3a2211b8bdc796c3aeca100c1fdd79b0b
SHA256 4f90dd992b00aef8ddad62b76b52c905c848bea1829277696f7d175abcd35769
SHA512 58ca03486a9291554d61b511a43ef738ddfd8f46b4add60ca81bc75d0e09141afad2e45646f53e7beba45e2285bfb077a17d8302b1a947e5e15f4b6e5864b747

\Users\Admin\AppData\Local\Temp\68A670~1.TMP

MD5 dbdeaabe9c145f13c101a5b319d39d63
SHA1 dfe1104bc81e39f41ad37b88cac45dda76f6e24b
SHA256 d314853b482dc7f434a8c59c62480b9907a29990ec0b1084583dcda3147972ab
SHA512 99dd20424daefb94bdfdf3986c6e6226903b4622f80f09b0f3502c514468c1de33e881888a09f1e128ec431f94aa594dd4c513026d04c3b92d3b2a6a6b16745f

memory/2676-10-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2176-7-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

memory/2676-11-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-19-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-20-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-21-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-22-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-23-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-24-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-25-0x00000000007C0000-0x000000000091F000-memory.dmp

memory/2676-26-0x00000000007C0000-0x000000000091F000-memory.dmp