danabot | 6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894

Analysis

max time kernel
197s
max time network
220s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e320557c1eec1fdc59223f4bf2d3e5e.exe
Size

1.0MB
MD5

0e320557c1eec1fdc59223f4bf2d3e5e
SHA1

50f5c455c19d9488d8a7b927348978e9350d5897
SHA256

6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894
SHA512

90a9e8c4dacda35e485dd47ea26de218dc47194f95ec9d4f441011e1970afb5021448c0aecb50e11c0f2617077fead79907a137447905bafc5983de517a8526c
SSDEEP

24576:zZ/v969WPODNO3/J/d03mGBPPCVW1XYyRPQtm1:zZs3ypS3mGBPPC2oyEi

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

192.210.222.81:443

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
100700D372965A717E89B8C909E1D8D4
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL	DanabotLoader2021
behavioral1/memory/1740-13-0x00000000009D0000-0x0000000000B30000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL	DanabotLoader2021
behavioral1/memory/1740-15-0x00000000009D0000-0x0000000000B30000-memory.dmp	DanabotLoader2021
behavioral1/memory/1740-30-0x00000000009D0000-0x0000000000B30000-memory.dmp	DanabotLoader2021
behavioral1/memory/1740-31-0x00000000009D0000-0x0000000000B30000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1740 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe
1740 rundll32.exe

flow	pid	process
2	1740	rundll32.exe

pid	process
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe
1740	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0e320557c1eec1fdc59223f4bf2d3e5e.exe

description	pid	process	target process
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2596 wrote to memory of 1740	2596	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
Filesize
5KB

MD5
e1cc83616c86c0847355ac7c0b794bec

SHA1
2a847cf0e7ecc2811c1f8a10e0e742f32126077d

SHA256
0cecada4c3cce0dc9e884c05e5b1646ae1ad7cf4b09a2403b60e65e271d5fb76

SHA512
42465ccfb359b2ee7ed4828b4c3227f1c58ee58f60efc7c053255656d6b6cd024e5effb1bb2c839b04c452636a85beec1a0ac21f3dacaa16818bc6079e6fd136

Download Submit
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
Filesize
1KB

MD5
6b16c63407bd53f70e952f40ea04ec18

SHA1
e3cad74e28acdb0a50b1ce46ef1d357dd5e283ad

SHA256
97bcf7a0d2757a58bb36dcd947240cbbbee6e414cb57302d325c7fc1d485dfb0

SHA512
e292a7981281578f5bee50541b68082a0daef060eb3e5d5e9583757e951643859b34c2dfe2ed8fe6eee3ecc149bffe28feebef80f570f78bdf0f83a95e0b89ac

Download Submit
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
Filesize
7KB

MD5
092f30ba16853b4b92b660a22de65b21

SHA1
bc985a64f76df2b030d9876f068910aeb4d86b0f

SHA256
32726cbc576fe61458228f5782a0d46e5f66fcb8a027657c61b0fe958307d1a3

SHA512
26eadb49e2ccb886a24fbf2ea3f590fe8aefa4beac6c0e9c2367c09375c60a4e1268f0b75aad8d2f804bac4770c7f190de367bdb31da18fdcd1c7b19fcc21ec5

Download Submit
memory/1740-13-0x00000000009D0000-0x0000000000B30000-memory.dmp

Filesize
1.4MB

Download
memory/1740-15-0x00000000009D0000-0x0000000000B30000-memory.dmp

Filesize
1.4MB

Download
memory/1740-30-0x00000000009D0000-0x0000000000B30000-memory.dmp

Filesize
1.4MB

Download
memory/1740-31-0x00000000009D0000-0x0000000000B30000-memory.dmp

Filesize
1.4MB

Download
memory/2596-2-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2596-14-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2596-27-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download