Malware Analysis Report

2024-11-30 14:40

Sample ID 231227-17zjjshac3
Target b7c085a814f6decb7fac3218e9737435
SHA256 f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7

Threat Level: Known bad

The file b7c085a814f6decb7fac3218e9737435 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-27 22:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 22:18

Reported

2024-01-08 00:37

Platform

win7-20231215-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe

"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7C085~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/1396-0-0x0000000001E90000-0x0000000001F7A000-memory.dmp

memory/1396-2-0x0000000001F80000-0x000000000207F000-memory.dmp

memory/1396-8-0x0000000001F80000-0x000000000207F000-memory.dmp

\Users\Admin\AppData\Local\Temp\B7C085~1.TMP

MD5 66a369dab84f69294f481b5cd8c1742d
SHA1 f945145c18b9ecb25dc8c4cf1c444ae3686f02c8
SHA256 e999d3201521f7e0d9ba8527b7782f183f5791858f9fce97df3b968bd5f5ed4f
SHA512 491748e22d18aa20f8ea6ed0268e38497b0af672ad7b25639bab2bdb4f785a676ddc393f033b3da69d8e08c255c2ce74fc3ece5622ed923ae57bb8405857a99e

memory/2268-10-0x0000000000A70000-0x0000000000BCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP

MD5 9f8d09ad2f5403c7cb792316e88ca5dc
SHA1 1ec72085e6077cac5238e3e32aafbd582038c1bb
SHA256 8f5aa5ece34a9b76209997edcedb9f358b7a84d3a9c16c9cf4f77b565f81333f
SHA512 e4880c9122e8834534bdfa438b25b3bb6379fb1febb9db4dea9126836f03d6d97021e26fe73e740d259fa5d0c869534bcfa6d0e5820290ef33d2569dbbd8471f

memory/1396-6-0x0000000000400000-0x000000000052F000-memory.dmp

memory/1396-3-0x0000000000400000-0x000000000052F000-memory.dmp

memory/1396-1-0x0000000001E90000-0x0000000001F7A000-memory.dmp

memory/2268-11-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-19-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-20-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-21-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-22-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-23-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-24-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-25-0x0000000000A70000-0x0000000000BCF000-memory.dmp

memory/2268-26-0x0000000000A70000-0x0000000000BCF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 22:18

Reported

2024-01-08 00:36

Platform

win10v2004-20231215-en

Max time kernel

162s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe

"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7C085~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 444

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 124.244.11.142.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3204-1-0x0000000002270000-0x0000000002366000-memory.dmp

memory/3204-2-0x0000000002440000-0x000000000253F000-memory.dmp

memory/3204-3-0x0000000000400000-0x000000000052F000-memory.dmp

memory/3204-4-0x0000000000400000-0x000000000052F000-memory.dmp

memory/3204-7-0x0000000000400000-0x000000000052F000-memory.dmp

memory/3204-8-0x0000000002270000-0x0000000002366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP

MD5 973e243a21c58d1ce53e81b6cfb13f29
SHA1 7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6
SHA256 a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3
SHA512 d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe

memory/3204-11-0x0000000002440000-0x000000000253F000-memory.dmp

memory/2668-13-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2668-15-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2668-27-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2668-28-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2668-29-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2668-30-0x0000000000400000-0x000000000055F000-memory.dmp