Malware Analysis Report

2024-11-30 14:42

Sample ID 231230-ew2zmsbchl
Target 0e320557c1eec1fdc59223f4bf2d3e5e
SHA256 6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894
Tags
danabot 5 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894

Threat Level: Known bad

The file 0e320557c1eec1fdc59223f4bf2d3e5e was found to be: Known bad.

Malicious Activity Summary

danabot 5 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:18

Reported

2023-12-30 21:38

Platform

win7-20231215-en

Max time kernel

197s

Max time network

220s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe

"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE

Network

Country Destination Domain Proto
US 192.210.222.81:443 tcp

Files

memory/2596-2-0x0000000000400000-0x0000000000511000-memory.dmp

\Users\Admin\AppData\Local\Temp\0E3205~1.DLL

MD5 e1cc83616c86c0847355ac7c0b794bec
SHA1 2a847cf0e7ecc2811c1f8a10e0e742f32126077d
SHA256 0cecada4c3cce0dc9e884c05e5b1646ae1ad7cf4b09a2403b60e65e271d5fb76
SHA512 42465ccfb359b2ee7ed4828b4c3227f1c58ee58f60efc7c053255656d6b6cd024e5effb1bb2c839b04c452636a85beec1a0ac21f3dacaa16818bc6079e6fd136

memory/1740-13-0x00000000009D0000-0x0000000000B30000-memory.dmp

\Users\Admin\AppData\Local\Temp\0E3205~1.DLL

MD5 092f30ba16853b4b92b660a22de65b21
SHA1 bc985a64f76df2b030d9876f068910aeb4d86b0f
SHA256 32726cbc576fe61458228f5782a0d46e5f66fcb8a027657c61b0fe958307d1a3
SHA512 26eadb49e2ccb886a24fbf2ea3f590fe8aefa4beac6c0e9c2367c09375c60a4e1268f0b75aad8d2f804bac4770c7f190de367bdb31da18fdcd1c7b19fcc21ec5

\Users\Admin\AppData\Local\Temp\0E3205~1.DLL

MD5 6b16c63407bd53f70e952f40ea04ec18
SHA1 e3cad74e28acdb0a50b1ce46ef1d357dd5e283ad
SHA256 97bcf7a0d2757a58bb36dcd947240cbbbee6e414cb57302d325c7fc1d485dfb0
SHA512 e292a7981281578f5bee50541b68082a0daef060eb3e5d5e9583757e951643859b34c2dfe2ed8fe6eee3ecc149bffe28feebef80f570f78bdf0f83a95e0b89ac

memory/2596-14-0x0000000000400000-0x0000000000511000-memory.dmp

memory/1740-15-0x00000000009D0000-0x0000000000B30000-memory.dmp

memory/2596-27-0x0000000000400000-0x0000000000511000-memory.dmp

memory/1740-30-0x00000000009D0000-0x0000000000B30000-memory.dmp

memory/1740-31-0x00000000009D0000-0x0000000000B30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:18

Reported

2023-12-30 21:37

Platform

win10v2004-20231215-en

Max time kernel

159s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe

"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/2000-0-0x0000000000400000-0x0000000000511000-memory.dmp

memory/2000-3-0x0000000000400000-0x0000000000511000-memory.dmp

memory/2000-9-0x0000000000400000-0x0000000000511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL

MD5 65ad7931a1adaab562852ba347a4ff9a
SHA1 bfc4bdaa5beb5f33c9cbdb8d1bbfa74c0b44a7b5
SHA256 eb64ede65019c5f166707e3c9f2047b5e357f96db57dab57c338e5ee27f01bf3
SHA512 a19f4d1fb6cff0e7907429ac68cdc9673ca9c067872b38da554b030f2486b8951e9416fd8fa6556a97958ac7747b13b1536950c74828dc5f2779502e9a75d457

memory/3440-13-0x0000000002230000-0x0000000002390000-memory.dmp

memory/2000-14-0x0000000000400000-0x0000000000511000-memory.dmp

memory/3440-15-0x0000000002230000-0x0000000002390000-memory.dmp

memory/2000-26-0x0000000000400000-0x0000000000511000-memory.dmp