danabot | 6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894

Analysis

max time kernel
159s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 04:18

Target

0e320557c1eec1fdc59223f4bf2d3e5e.exe
Size

1.0MB
MD5

0e320557c1eec1fdc59223f4bf2d3e5e
SHA1

50f5c455c19d9488d8a7b927348978e9350d5897
SHA256

6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894
SHA512

90a9e8c4dacda35e485dd47ea26de218dc47194f95ec9d4f441011e1970afb5021448c0aecb50e11c0f2617077fead79907a137447905bafc5983de517a8526c
SSDEEP

24576:zZ/v969WPODNO3/J/d03mGBPPCVW1XYyRPQtm1:zZs3ypS3mGBPPC2oyEi

Score

10^/10

Family

danabot

Botnet

192.210.222.81:443

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL	DanabotLoader2021
behavioral2/memory/3440-13-0x0000000002230000-0x0000000002390000-memory.dmp	DanabotLoader2021
behavioral2/memory/3440-15-0x0000000002230000-0x0000000002390000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3440 rundll32.exe
3440 rundll32.exe

pid	process
3440	rundll32.exe
3440	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0e320557c1eec1fdc59223f4bf2d3e5e.exe

description	pid	process	target process
PID 2000 wrote to memory of 3440	2000	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2000 wrote to memory of 3440	2000	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe
PID 2000 wrote to memory of 3440	2000	0e320557c1eec1fdc59223f4bf2d3e5e.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE
2⤵
- Loads dropped DLL
PID:3440

C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
Filesize
1.3MB

MD5
65ad7931a1adaab562852ba347a4ff9a

SHA1
bfc4bdaa5beb5f33c9cbdb8d1bbfa74c0b44a7b5

SHA256
eb64ede65019c5f166707e3c9f2047b5e357f96db57dab57c338e5ee27f01bf3

SHA512
a19f4d1fb6cff0e7907429ac68cdc9673ca9c067872b38da554b030f2486b8951e9416fd8fa6556a97958ac7747b13b1536950c74828dc5f2779502e9a75d457

Download Submit
memory/2000-0-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2000-3-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2000-9-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2000-14-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2000-26-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3440-13-0x0000000002230000-0x0000000002390000-memory.dmp

Filesize
1.4MB

Download
memory/3440-15-0x0000000002230000-0x0000000002390000-memory.dmp

Filesize
1.4MB

Download