danabot | 78136bd4e41f6a2e4dd7c9b765dd6ffb2b2e86b5362405efe237a1e2a62444bd

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 05:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

456d293ee065a67f35ff9df70c1c05e2.exe
Size

1.1MB
MD5

456d293ee065a67f35ff9df70c1c05e2
SHA1

492a2e7f80f73ebe9f9949858d3980d0e5264b62
SHA256

78136bd4e41f6a2e4dd7c9b765dd6ffb2b2e86b5362405efe237a1e2a62444bd
SHA512

e8382bb68110b8f30925eb6d9705df5a38640afdfc7ae70d0a514be0aaad23a124252e3cebe20a666921e649735e5343f675bc30737431132c0d683d3d7101f8
SSDEEP

24576:Jj8CAyECDWSv+0MgGEgdfIMD/a1pvqvw:JACAyhz+0MgNK3+7vqv

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.206.50:443

142.11.244.124:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

resource	yara_rule
behavioral1/memory/1728-9-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/files/0x000b00000001224c-7.dat	DanabotLoader2021
behavioral1/memory/1728-10-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-18-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-19-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-20-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-21-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-22-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-23-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-24-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021
behavioral1/memory/1728-25-0x0000000000AD0000-0x0000000000C2F000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1728	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1728	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28
PID 1776 wrote to memory of 1728	1776	456d293ee065a67f35ff9df70c1c05e2.exe	28

C:\Users\Admin\AppData\Local\Temp\456d293ee065a67f35ff9df70c1c05e2.exe
"C:\Users\Admin\AppData\Local\Temp\456d293ee065a67f35ff9df70c1c05e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\456D29~1.TMP,S C:\Users\Admin\AppData\Local\Temp\456D29~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-22-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-18-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-25-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-24-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-23-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-19-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-9-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-21-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-10-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-20-0x0000000000AD0000-0x0000000000C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-1-0x0000000000BE0000-0x0000000000CCB000-memory.dmp

Filesize
940KB

Download
memory/1776-0-0x0000000000BE0000-0x0000000000CCB000-memory.dmp

Filesize
940KB

Download
memory/1776-5-0x0000000000400000-0x0000000000979000-memory.dmp

Filesize
5.5MB

Download
memory/1776-6-0x0000000000400000-0x0000000000979000-memory.dmp

Filesize
5.5MB

Download
memory/1776-2-0x00000000022C0000-0x00000000023C0000-memory.dmp

Filesize
1024KB

Download