Analysis

  • max time kernel
    168s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 07:14

General

  • Target

    11e11143ef5713077396f32f3fafd109.exe

  • Size

    1.2MB

  • MD5

    11e11143ef5713077396f32f3fafd109

  • SHA1

    d2d8950d848129ab460439d3e4a0615f5f2d10c3

  • SHA256

    0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7

  • SHA512

    92afb5046efb98ea7d930132481226eb8ad6250b363d670450c0e972e1253a59d958df7a4fffb99d20017bae4246b5a86fa03bf9865a2da155e1d03e9bbb3fc9

  • SSDEEP

    24576:NLmxtn8xbSdKS1c6x62DAHzisGqQLlrwAta5Hsr8Ft5M6:Nw8xbEdx6sH9LlUAtaRnn

Score
10/10

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 12 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe
    "C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:4580
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 536
      2⤵
      • Program crash
      PID:1884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1972 -ip 1972
    1⤵
      PID:1140

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE.tmp

      Filesize

      419KB

      MD5

      ff97c1c652c8698094acccf11aa77bf7

      SHA1

      90b5c1f98324adaf84a4e2424fb1a3f91e9cda33

      SHA256

      4370202bbf13aee6f8d93648b5d649ea08dc1f7e0dfad46aaf86c15781258ec7

      SHA512

      dfdb50e1559eaf8ceb92463edaee225962721160148dc3fc1258a0e8758438005d869ddff37bb459f3e7131a5ff94ca854dda84b244c87d6f8f95509eff34e50

    • C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE.tmp

      Filesize

      894KB

      MD5

      3c03b1c67fbf9c771b826058947dd0f7

      SHA1

      b209c9b6cd5de796073f16af7d8f56ee1fd37363

      SHA256

      378da9bfb98d564e5555322ca855e9e5c48152a4126d47befcae77aca2a8d468

      SHA512

      30d14a73e7db254dcca1f775ad9691c4f8cbfa39d113b2e31b093576ae221a334e1be0e2fff23c8c8ccf5bcb24adbd8bdfab507fa52d960837b2cd3b38783d8f

    • C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP

      Filesize

      1.2MB

      MD5

      bfa17d48f7c282a3d758bdbb2079e067

      SHA1

      610cbd992dc186b0bb909e9499269a6618e353de

      SHA256

      347b5d5fdd4d0c0c4174d832481e7079e0c096bed60c2ed95e0306f468cc2dae

      SHA512

      e3ee96cdd526cd8e11ca1c8c163a6185dc806372a2d997f6a6fe17914251fb8954b89700ab25a0a1142d89558ce4cd379c27f82aca3452370c0eb948677bd2af

    • memory/1972-11-0x0000000002470000-0x0000000002570000-memory.dmp

      Filesize

      1024KB

    • memory/1972-1-0x0000000002370000-0x0000000002469000-memory.dmp

      Filesize

      996KB

    • memory/1972-3-0x0000000000400000-0x0000000000549000-memory.dmp

      Filesize

      1.3MB

    • memory/1972-2-0x0000000002470000-0x0000000002570000-memory.dmp

      Filesize

      1024KB

    • memory/1972-10-0x0000000000400000-0x0000000000549000-memory.dmp

      Filesize

      1.3MB

    • memory/4580-20-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-12-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-9-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-21-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-22-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-23-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-24-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-25-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB

    • memory/4580-26-0x0000000001F20000-0x000000000207F000-memory.dmp

      Filesize

      1.4MB