Malware Analysis Report

2024-11-30 14:42

Sample ID 240107-km727aage3
Target 4886d9d33e6049b84159ee4681c9b712
SHA256 4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb

Threat Level: Known bad

The file 4886d9d33e6049b84159ee4681c9b712 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot Loader Component

Danabot

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-07 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 08:44

Reported

2024-01-07 08:48

Platform

win7-20231215-en

Max time kernel

213s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe

"C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4886D9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4886D9~1.EXE

Network

Country Destination Domain Proto
NL 193.34.167.138:443 tcp

Files

memory/2624-0-0x0000000004650000-0x0000000004739000-memory.dmp

memory/2624-2-0x0000000004740000-0x000000000483E000-memory.dmp

memory/2624-1-0x0000000004650000-0x0000000004739000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4886D9~1.TMP

MD5 cfc25f6127c1542eee376a6b9fb0d3d9
SHA1 cf1c89eba15320765f2b6ebced98edd77ed67a6e
SHA256 8af95e7b245deede697fbb9081551dd88610dfd72a0cba790c7c382c29f99ccc
SHA512 4dbb5f03fecd7da3833197b36288d0431820ba72ede7d0c07bfa9aae7ffcddf67ab6f1acf6f46567d69b0b90d042067c602cf02e6d527cf7e79271339034295d

memory/2624-5-0x0000000000400000-0x0000000002D97000-memory.dmp

memory/2624-7-0x0000000004740000-0x000000000483E000-memory.dmp

memory/2624-8-0x0000000000400000-0x0000000002D97000-memory.dmp

\Users\Admin\AppData\Local\Temp\4886D9~1.TMP

MD5 7d1a0d85d5f9e1743d5415bd4e51ecf6
SHA1 05c89a624c4860760c9da99cbdacd2d322d531ab
SHA256 d6fdd1858144dfa7746e16d6881eb216a1bbb7781c590075f6b048e0d8189b3b
SHA512 b8e00d8cc5cbf24c30e30d0a9d1b2e0c1f2c8a90c25e8bf2a9973b300a250f8a99a8cbc51179195bda76d33524d88edbfc4fb9b4a0a839e4b8d44e4dc9716aa5

memory/1492-10-0x0000000001D50000-0x0000000001EAD000-memory.dmp

memory/1492-11-0x0000000001D50000-0x0000000001EAD000-memory.dmp

memory/2624-12-0x0000000000400000-0x0000000002D97000-memory.dmp

memory/1492-20-0x0000000001D50000-0x0000000001EAD000-memory.dmp

memory/1492-21-0x0000000001D50000-0x0000000001EAD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 08:44

Reported

2024-01-07 08:47

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe

"C:\Users\Admin\AppData\Local\Temp\4886d9d33e6049b84159ee4681c9b712.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4886D9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4886D9~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 516

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
NL 193.34.167.138:443 tcp
US 8.8.8.8:53 138.167.34.193.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/3304-1-0x0000000004C00000-0x0000000004CF4000-memory.dmp

memory/3304-2-0x0000000004D00000-0x0000000004DFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4886D9~1.EXE.tmp

MD5 71c69fab6bc02f742d3936c6e61c5052
SHA1 4320ab9131a964d12e4377514f829d784de5e11d
SHA256 b28526f8dade56a0b172d478068c46cef567c0d1fcc37eddd64be81f5238d0e7
SHA512 0c698b426c8257f69492a4632f52a47b82e27b05a552e4f21ddd4449e91201dfd81a591bec3ce450ccee382511c8e6355136d94304f2102e8c73f9f41d36881c

C:\Users\Admin\AppData\Local\Temp\4886D9~1.TMP

MD5 9b5b39529dc7a34b493c00719d8d99f4
SHA1 9aa4755afbc0ab27fa379e4a8b94f10247c6ee42
SHA256 79d9138c94828c3aeed0c57abf819bfefeadbfddeda4612659e7c2358e541017
SHA512 25e681297a104e29283219f558583b6457728f605549ccdf6353cdae9f3be384622b0602719c099da24b97989d337d0cdaf4652e8bec3864b482bc4ec761d948

memory/3304-7-0x0000000000400000-0x0000000002D97000-memory.dmp

memory/3304-8-0x0000000000400000-0x0000000002D97000-memory.dmp

memory/3304-9-0x0000000004D00000-0x0000000004DFE000-memory.dmp

memory/4624-10-0x0000000000400000-0x000000000055D000-memory.dmp

memory/4624-18-0x0000000000400000-0x000000000055D000-memory.dmp