Malware Analysis Report

2024-11-30 14:41

Sample ID 231229-28sm3adbej
Target 06a6e6cbb43ff9e121bcf5895b399f33
SHA256 b97c821707e93e8e535dc3661098e792d55d493a5edbd3f59bfd559c34d7822d
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b97c821707e93e8e535dc3661098e792d55d493a5edbd3f59bfd559c34d7822d

Threat Level: Known bad

The file 06a6e6cbb43ff9e121bcf5895b399f33 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-29 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 23:15

Reported

2023-12-30 06:54

Platform

win7-20231129-en

Max time kernel

135s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe

"C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\06A6E6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\06A6E6~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/2948-0-0x0000000004680000-0x000000000476E000-memory.dmp

memory/2948-2-0x0000000004770000-0x0000000004875000-memory.dmp

memory/2948-1-0x0000000004680000-0x000000000476E000-memory.dmp

memory/2948-3-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/2948-6-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/2948-7-0x0000000004680000-0x000000000476E000-memory.dmp

memory/2948-9-0x0000000004770000-0x0000000004875000-memory.dmp

memory/2500-19-0x0000000001FE0000-0x0000000002140000-memory.dmp

memory/2948-20-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/2500-21-0x0000000001FE0000-0x0000000002140000-memory.dmp

memory/2948-32-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/2500-33-0x0000000001FE0000-0x0000000002140000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 23:15

Reported

2023-12-30 06:56

Platform

win10v2004-20231215-en

Max time kernel

163s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe

"C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 444

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\06A6E6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\06A6E6~1.EXE

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3904-1-0x0000000004B10000-0x0000000004C00000-memory.dmp

memory/3904-2-0x0000000004C00000-0x0000000004D05000-memory.dmp

memory/3904-3-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/3904-4-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/3904-5-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/3904-6-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/3904-7-0x0000000004B10000-0x0000000004C00000-memory.dmp

memory/3904-8-0x0000000004C00000-0x0000000004D05000-memory.dmp

memory/3904-11-0x0000000000400000-0x0000000002D99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\06A6E6~1.DLL

MD5 791091edf98de7d34af0980105b6b27c
SHA1 fef082e454745a269d0712943ec2659ca8cc4d8d
SHA256 069dfef3ec5e51fc1eac1b423ad829b045734063161a51e69b4b0d7f9ad9c7de
SHA512 b36997bb57058b45a57e2bd70b09723604ea607c91da42772a5a2f7163dba44594b04942881f8b4be8f7d8b8dbc2f6d5994c1d46b55b077321f8ded0bdb38507

memory/3904-17-0x0000000000400000-0x0000000002D99000-memory.dmp

memory/972-21-0x0000000000400000-0x0000000000560000-memory.dmp