Malware Analysis Report

2024-11-30 14:41

Sample ID 231229-y5t5yaeee9
Target 02f6cd0c20673f819bba4b21f4d30d44
SHA256 463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f

Threat Level: Known bad

The file 02f6cd0c20673f819bba4b21f4d30d44 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-29 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 20:22

Reported

2023-12-30 00:22

Platform

win7-20231129-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe

"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/2320-0-0x00000000009F0000-0x0000000000ADA000-memory.dmp

memory/2320-1-0x00000000009F0000-0x0000000000ADA000-memory.dmp

memory/2320-2-0x0000000000C30000-0x0000000000D2F000-memory.dmp

memory/2320-5-0x0000000000400000-0x00000000009E2000-memory.dmp

memory/2320-11-0x00000000009F0000-0x0000000000ADA000-memory.dmp

memory/2320-10-0x0000000000C30000-0x0000000000D2F000-memory.dmp

memory/1640-9-0x0000000000920000-0x0000000000A7F000-memory.dmp

\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP

MD5 21ce0b5ae3b9fc3502ff8df646c1f6fd
SHA1 c334e13f18fe093d5555a6a60e3706642e1c55f5
SHA256 74769caa914081ef0a4689fad2d7165f820047d1bff4d1072e4ddaff721d2f89
SHA512 e05c5df4928fd17a26db8d8129ae23d028ad45497a8e9eacf29519cd8323a7b6b2fb01ca4849bb2a5218a50ae5a7eee5b5e9d897146ec9c1c31c4632d7952695

C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP

MD5 f65f2f47b342bb22302981889f62699b
SHA1 66ef7315b9e3a00e40b3f2646198aa699ce99898
SHA256 c838276b43df3a0e96cc2d87189ceb803cd0a7223cee89944fec77107bbbd289
SHA512 36f1c367f0f0edb884897505679c13b8d0f8e6787c5846ee055f8e0017d14d0d088531ab3287a62ef8f61c65da554fd397c897f437a1216908065edf8860db69

memory/2320-6-0x0000000000400000-0x00000000009E2000-memory.dmp

memory/1640-12-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-20-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-21-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-22-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-23-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-24-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-25-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-26-0x0000000000920000-0x0000000000A7F000-memory.dmp

memory/1640-27-0x0000000000920000-0x0000000000A7F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 20:22

Reported

2023-12-30 00:22

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe

"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 516

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.211:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 96.16.110.114:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 124.244.11.142.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.16.110.114:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp

Files

memory/2256-2-0x0000000000D50000-0x0000000000E4F000-memory.dmp

memory/2256-1-0x0000000000B10000-0x0000000000C09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE.tmp

MD5 7e0842a28143a9b40f5f63e2b8153f54
SHA1 3f7daf28976148e55ec55cb7e725c83a04399462
SHA256 df94ed67841091979d6c86081f4ceaa6b9d892724307e6574f758b0c5dbee90c
SHA512 d82b34308b5573aee84c482cd111cd87160f4eed2154a9d28bc6b4a70c792d607533481ed868a6ae4dc010355bd6f05ae371c92414a6ae6c2cfbaeea918cebcf

C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP

MD5 786b636f727a054829c7c2195d34136c
SHA1 a3e8d25f2e96dbd6a6d3dcee48322d9339f2be67
SHA256 05e692801356858257006f8c709434b103317509adc47ad0d3cb74eb39a15fd2
SHA512 5c3114423cbb547f81ffa28dca437bd0a7fa78f67236506fa460a38a493b9ce24bb27106b4b5b39a5c74ce608e336de77fd0e16f511c4e8fa764569cdb006657

memory/2256-5-0x0000000000400000-0x00000000009E2000-memory.dmp

memory/2256-8-0x0000000000400000-0x00000000009E2000-memory.dmp

memory/2256-9-0x0000000000D50000-0x0000000000E4F000-memory.dmp

memory/1168-10-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-18-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-19-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-20-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-21-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-22-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-23-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-24-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1168-25-0x0000000000400000-0x000000000055F000-memory.dmp