Malware Analysis Report

2024-11-30 14:40

Sample ID 240106-l4rxzadben
Target 459aaa0523583f8171f012b9d7dd7136.exe
SHA256 c3cb419c2c74276267a476c49fbda1b8e7700cbf03de07e4bf46523b095bbe2e
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3cb419c2c74276267a476c49fbda1b8e7700cbf03de07e4bf46523b095bbe2e

Threat Level: Known bad

The file 459aaa0523583f8171f012b9d7dd7136.exe was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:05

Reported

2024-01-06 10:08

Platform

win7-20231129-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe

"C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\459AAA~1.TMP,S C:\Users\Admin\AppData\Local\Temp\459AAA~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/1068-0-0x0000000004C10000-0x0000000004CFA000-memory.dmp

memory/1068-1-0x0000000004C10000-0x0000000004CFA000-memory.dmp

memory/2032-8-0x0000000002220000-0x000000000237E000-memory.dmp

\Users\Admin\AppData\Local\Temp\459AAA~1.TMP

MD5 745847d56a0f00c521cf7df2c8f25189
SHA1 983bb73a3da2ce7aa8a091efcd51b1ccb8890522
SHA256 b39231454bf858c0a6cbdc4f604299c0562a9c2c1ad5bfebc595ad54a857f683
SHA512 23ffa6c41c61d1b7bc3fefbdfc46fbe963b73ed59379b045b46fd5fd5699d1926940ed01b30aeeb4e891fe04e90a6963e77579e02a419d8ba4ac8c3aaef5c5d3

C:\Users\Admin\AppData\Local\Temp\459AAA~1.TMP

MD5 edb851259aa62ed13231347e160f9dc3
SHA1 6e5177a3ac08c18fc4dd69178df0a066a82dbde0
SHA256 c38e0eb5f86ff09bc753049fb1257214c0edd936010fec0b2719e11ce279a855
SHA512 f181b5328874bf1bcb74e823c8afebd4492cad7dcab3d750124736b0cc848ba07fc05836c1cf468d8cdc0f84a2d9b8e74b2f0f11225ef690bb99c3f6c365aa38

memory/1068-10-0x0000000004D70000-0x0000000004E6F000-memory.dmp

memory/1068-9-0x0000000000400000-0x0000000003327000-memory.dmp

memory/1068-5-0x0000000000400000-0x0000000003327000-memory.dmp

memory/1068-2-0x0000000004D70000-0x0000000004E6F000-memory.dmp

memory/2032-11-0x0000000002220000-0x000000000237E000-memory.dmp

memory/2032-19-0x0000000002220000-0x000000000237E000-memory.dmp

memory/2032-20-0x0000000002220000-0x000000000237E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:05

Reported

2024-01-06 10:09

Platform

win10v2004-20231215-en

Max time kernel

169s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe

"C:\Users\Admin\AppData\Local\Temp\459aaa0523583f8171f012b9d7dd7136.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\459AAA~1.TMP,S C:\Users\Admin\AppData\Local\Temp\459AAA~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 508

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/1828-1-0x0000000004F90000-0x000000000507F000-memory.dmp

memory/1828-2-0x00000000050A0000-0x000000000519F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\459AAA~1.TMP

MD5 ce34a4c9639f7f0f13d259d55affceff
SHA1 b18bdbac065f8269ab97371b299e8ae962158a46
SHA256 5c2aba31ea258d82b729777bf69b3badbf826bb177a71a5d14149b88d63f9667
SHA512 704fa907e984ba2c84b4b18fe2dc065ef11b09f7d9d2f5cef4375ec492cd7988825acd57cddc7804e73325fcc2ffae9e32f2c4c957f692765971180e815ab363

C:\Users\Admin\AppData\Local\Temp\459AAA~1.EXE.tmp

MD5 c5e865cac75a409789707e81379b2d07
SHA1 96cebb3f096959724cee7c058d89be551ca936c2
SHA256 3cf246b61b8af16e1ee9174b50f21abb3cd60d75cf7551b04b81b42e245dd972
SHA512 4428c9961a40724023706c4283d81fac423fd4dd660c859638107aa7fc1e8e28b61a5d680e1ee3bc587476bd12bd076a0add17b1c83e04cde6019930b23a41ea

memory/1828-7-0x0000000000400000-0x0000000003327000-memory.dmp

memory/1828-8-0x0000000000400000-0x0000000003327000-memory.dmp

memory/1828-9-0x00000000050A0000-0x000000000519F000-memory.dmp

memory/4068-10-0x0000000000400000-0x000000000055E000-memory.dmp

memory/4068-18-0x0000000000400000-0x000000000055E000-memory.dmp

memory/4068-19-0x0000000000400000-0x000000000055E000-memory.dmp