danabot | 463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f

Analysis

max time kernel
156s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f6cd0c20673f819bba4b21f4d30d44.exe
Size

1.2MB
MD5

02f6cd0c20673f819bba4b21f4d30d44
SHA1

fbc98200bb30e5fd14b547dc75311f683ae0c875
SHA256

463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f
SHA512

be485b4aed3fe843787d7a944698a4a1d0f0ad7347b0117ad77eccc3539523b4082bb913510d9b4225170108ba0579b074a229974369cf61e2c1c08fc320a66f
SSDEEP

24576:w6TleADmI4T1kagXHq96dUEcZeN8VTbmH:LlI1kagFUEcZeOtm

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321e-6.dat	DanabotLoader2021
behavioral2/memory/2400-10-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-18-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-19-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-20-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-21-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-22-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-23-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-24-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2400-25-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
79	2400	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	4688	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 2400	4688	02f6cd0c20673f819bba4b21f4d30d44.exe	91
PID 4688 wrote to memory of 2400	4688	02f6cd0c20673f819bba4b21f4d30d44.exe	91
PID 4688 wrote to memory of 2400	4688	02f6cd0c20673f819bba4b21f4d30d44.exe	91

C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe
"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 488
  2⤵
  - Program crash
  PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4688 -ip 4688
1⤵
PID:936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP

Filesize
1013KB

MD5
8d5abec852a40a36fbc457035d1d6454

SHA1
8954ffe0feef5e3c0d5443461f3e25e6900cc6ac

SHA256
f7d7fbcbbf25de121aaf9bf69ad4660042c13b55e53d192d6e2c97e07ccece58

SHA512
747f5570d8f68e84649167d6b18838831e2d0d82e8924c1f251e3208aaf0ccbf19cd800647ae6f7dca32a0c7fb3096eaf63182b236d1dd6e51364859a2ad6bc2

Download Submit
memory/2400-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4688-1-0x0000000000D80000-0x0000000000E6F000-memory.dmp

Filesize
956KB

Download
memory/4688-2-0x0000000000E90000-0x0000000000F8F000-memory.dmp

Filesize
1020KB

Download
memory/4688-8-0x0000000000400000-0x00000000009E2000-memory.dmp

Filesize
5.9MB

Download
memory/4688-9-0x0000000000E90000-0x0000000000F8F000-memory.dmp

Filesize
1020KB

Download
memory/4688-3-0x0000000000400000-0x00000000009E2000-memory.dmp

Filesize
5.9MB

Download