Malware Analysis Report

2024-11-30 14:42

Sample ID 231230-h26fsshdgk
Target 11e11143ef5713077396f32f3fafd109
SHA256 0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7

Threat Level: Known bad

The file 11e11143ef5713077396f32f3fafd109 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-30 07:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 07:14

Reported

2023-12-31 05:16

Platform

win7-20231215-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe

"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/2204-0-0x0000000000220000-0x000000000030B000-memory.dmp

memory/2204-1-0x0000000000220000-0x000000000030B000-memory.dmp

memory/2204-2-0x0000000001D90000-0x0000000001E90000-memory.dmp

memory/2204-5-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2204-6-0x0000000000400000-0x0000000000549000-memory.dmp

\Users\Admin\AppData\Local\Temp\11E111~1.TMP

MD5 42f86633a7005d0beb369c7658bd6344
SHA1 046e4bfb1ca72a4c137e3915230530879d23249c
SHA256 642f76e4b7931fffd18fc9015456b074144ba343f7af8ee787235e1657acefbd
SHA512 fb32e8ce8521bad085b3f2c9740ecb2ebabf1678e81a3c9d5a6e4b0e909edbfa26a571d3ab855252d4654345b13b7c87fe90c5314305bc160d74790846c051e9

memory/2304-10-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2204-7-0x0000000001D90000-0x0000000001E90000-memory.dmp

memory/2304-11-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-19-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-20-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-21-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-22-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-23-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-24-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-25-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

memory/2304-26-0x0000000001DC0000-0x0000000001F1F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 07:14

Reported

2023-12-31 05:14

Platform

win10v2004-20231215-en

Max time kernel

168s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe

"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1972 -ip 1972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 536

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/1972-1-0x0000000002370000-0x0000000002469000-memory.dmp

memory/1972-2-0x0000000002470000-0x0000000002570000-memory.dmp

memory/1972-3-0x0000000000400000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP

MD5 bfa17d48f7c282a3d758bdbb2079e067
SHA1 610cbd992dc186b0bb909e9499269a6618e353de
SHA256 347b5d5fdd4d0c0c4174d832481e7079e0c096bed60c2ed95e0306f468cc2dae
SHA512 e3ee96cdd526cd8e11ca1c8c163a6185dc806372a2d997f6a6fe17914251fb8954b89700ab25a0a1142d89558ce4cd379c27f82aca3452370c0eb948677bd2af

C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE.tmp

MD5 3c03b1c67fbf9c771b826058947dd0f7
SHA1 b209c9b6cd5de796073f16af7d8f56ee1fd37363
SHA256 378da9bfb98d564e5555322ca855e9e5c48152a4126d47befcae77aca2a8d468
SHA512 30d14a73e7db254dcca1f775ad9691c4f8cbfa39d113b2e31b093576ae221a334e1be0e2fff23c8c8ccf5bcb24adbd8bdfab507fa52d960837b2cd3b38783d8f

memory/4580-9-0x0000000001F20000-0x000000000207F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE.tmp

MD5 ff97c1c652c8698094acccf11aa77bf7
SHA1 90b5c1f98324adaf84a4e2424fb1a3f91e9cda33
SHA256 4370202bbf13aee6f8d93648b5d649ea08dc1f7e0dfad46aaf86c15781258ec7
SHA512 dfdb50e1559eaf8ceb92463edaee225962721160148dc3fc1258a0e8758438005d869ddff37bb459f3e7131a5ff94ca854dda84b244c87d6f8f95509eff34e50

memory/1972-10-0x0000000000400000-0x0000000000549000-memory.dmp

memory/1972-11-0x0000000002470000-0x0000000002570000-memory.dmp

memory/4580-12-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-20-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-21-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-22-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-23-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-24-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-25-0x0000000001F20000-0x000000000207F000-memory.dmp

memory/4580-26-0x0000000001F20000-0x000000000207F000-memory.dmp