danabot | 8cb1fc91ce481e9313b2dd4923d1a3b29dfbcbed01d1a9b8c434d1a4eaedf968

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff80f00cb6c93fa94c5c6d7c9eee59e.exe
Size

1.1MB
MD5

1ff80f00cb6c93fa94c5c6d7c9eee59e
SHA1

6106a1d39b247b81d875976b929789f56b80351f
SHA256

8cb1fc91ce481e9313b2dd4923d1a3b29dfbcbed01d1a9b8c434d1a4eaedf968
SHA512

480848640077affc37329b7e50016068fe250414a679da2c8e1535d7a00b12eebfa7ece2e8a8a8c950bfa2568fac26258d81653a7d6133f37a1802765068c323
SSDEEP

24576:HI1KxVUIIYTVjtlRHAfQLCxwFei7ZQaXOUTe5:o1c15VprHixwFeiFhXOce5

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

193.34.167.138:443

152.89.247.31:443

192.210.222.81:443

142.11.244.124:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012262-6.dat	DanabotLoader2021
behavioral1/files/0x0009000000012262-7.dat	DanabotLoader2021
behavioral1/memory/3044-8-0x0000000000920000-0x0000000000A7D000-memory.dmp	DanabotLoader2021
behavioral1/memory/3044-11-0x0000000000920000-0x0000000000A7D000-memory.dmp	DanabotLoader2021
behavioral1/memory/3044-20-0x0000000000920000-0x0000000000A7D000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3044	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28
PID 2976 wrote to memory of 3044	2976	1ff80f00cb6c93fa94c5c6d7c9eee59e.exe	28

C:\Users\Admin\AppData\Local\Temp\1ff80f00cb6c93fa94c5c6d7c9eee59e.exe
"C:\Users\Admin\AppData\Local\Temp\1ff80f00cb6c93fa94c5c6d7c9eee59e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1FF80F~1.TMP,S C:\Users\Admin\AppData\Local\Temp\1FF80F~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1FF80F~1.TMP

Filesize
543KB

MD5
3da5fdb7c0f262588d2b388e260ac27b

SHA1
0bcd708e2032be295c78429482492d4ba1401ac5

SHA256
cda354a1873f4eed0ce09fde9da33878187485b5375876bb21a8183ad729db55

SHA512
1bbb508c12959356913368068eb2c779c44a8dc321fc9556fe40bdb2a21381aeb004a5c7d54d1a05ea91a007ed6397daa48dc249a7af5371a34b9e1a99fb87eb

Download Submit
\Users\Admin\AppData\Local\Temp\1FF80F~1.TMP

Filesize
513KB

MD5
6b52731e94ebd488281ef3bd624a8d98

SHA1
15c00e6c8c3b3c14f86e08744815c3a704d81578

SHA256
c86c24b2c85cbe0d0298e1d6a70610ed39c70da1d1752410425640c1a3846548

SHA512
3d85c01f22e8ab84afcb1bf5f46be5309f03b6647edf6ed4d0a3a4d5939599c870114969fb1556124297a1288eb5d6427626abd7d7d8cd37b6732d3863cac592

Download Submit
memory/2976-0-0x0000000002DA0000-0x0000000002E89000-memory.dmp

Filesize
932KB

Download
memory/2976-1-0x0000000002DA0000-0x0000000002E89000-memory.dmp

Filesize
932KB

Download
memory/2976-2-0x0000000002FB0000-0x00000000030AE000-memory.dmp

Filesize
1016KB

Download
memory/2976-5-0x0000000000400000-0x0000000002D9A000-memory.dmp

Filesize
41.6MB

Download
memory/2976-10-0x0000000002FB0000-0x00000000030AE000-memory.dmp

Filesize
1016KB

Download
memory/2976-9-0x0000000000400000-0x0000000002D9A000-memory.dmp

Filesize
41.6MB

Download
memory/2976-13-0x0000000000400000-0x0000000002D9A000-memory.dmp

Filesize
41.6MB

Download
memory/3044-8-0x0000000000920000-0x0000000000A7D000-memory.dmp

Filesize
1.4MB

Download
memory/3044-11-0x0000000000920000-0x0000000000A7D000-memory.dmp

Filesize
1.4MB

Download
memory/3044-20-0x0000000000920000-0x0000000000A7D000-memory.dmp

Filesize
1.4MB

Download