Malware Analysis Report

2024-11-30 14:45

Sample ID 240109-ahhavsgdan
Target 4cd3122ecb4da50429a0967972e0592e
SHA256 ad2c6dbce9ba2f0e44e632fea78a573eba6ebfb6f70303653b4ac046b32604eb
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad2c6dbce9ba2f0e44e632fea78a573eba6ebfb6f70303653b4ac046b32604eb

Threat Level: Known bad

The file 4cd3122ecb4da50429a0967972e0592e was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-09 00:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 00:12

Reported

2024-01-09 00:15

Platform

win7-20231215-en

Max time kernel

151s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe

"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE

Network

Country Destination Domain Proto
NL 193.34.167.138:443 tcp

Files

memory/2244-0-0x0000000000C10000-0x0000000000CF9000-memory.dmp

memory/2244-1-0x0000000000C10000-0x0000000000CF9000-memory.dmp

memory/2244-2-0x0000000000D00000-0x0000000000DFF000-memory.dmp

memory/2244-5-0x0000000000400000-0x00000000009DD000-memory.dmp

memory/2244-7-0x0000000000D00000-0x0000000000DFF000-memory.dmp

memory/2244-8-0x0000000000400000-0x00000000009DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP

MD5 2cc9381935c5fe678fd34492a79bd415
SHA1 ea3339b3f548e019cb2d133dc774de880cf29e87
SHA256 c5ca9acbb7446804cd8074e63e0aa0c6a0293f8948ac99deccce1e730ecfbbd5
SHA512 e3126b03b4cc84b9b366f9821c7c2f72859bc8b34b5aecc18b50185a21508c32862f2b0f7a05f5e84bef0eb2061f0795fbe96863be9f85165a087c2aa9c4e762

memory/2448-10-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-11-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2244-13-0x0000000000400000-0x00000000009DD000-memory.dmp

memory/2448-20-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-21-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-22-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-23-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-24-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-25-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-26-0x00000000007C0000-0x000000000091D000-memory.dmp

memory/2448-27-0x00000000007C0000-0x000000000091D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 00:12

Reported

2024-01-09 00:15

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe

"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5000 -ip 5000

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
NL 193.34.167.138:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.167.34.193.in-addr.arpa udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp

Files

memory/5000-1-0x0000000000C60000-0x0000000000D50000-memory.dmp

memory/5000-2-0x0000000000D60000-0x0000000000E5F000-memory.dmp

memory/5000-5-0x0000000000400000-0x00000000009DD000-memory.dmp

memory/1192-9-0x00000000008B0000-0x0000000000A0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE.tmp

MD5 d6d1c2db31bb00d9996e94bbb752be86
SHA1 504b480f55f1c9a1000d9d8952826793523b99ec
SHA256 572e95c7d235bdb5398d01f1be77772abe21a4b24e4c698b35edc7e4c608e5bd
SHA512 26acf327814c4becd03eed02c46304e83ee9e1d5c7dc8d5857db518c3ad06b090f8c1891151e7e1f6c1d2167f90d7a6804be5a780de49bc27ab6bab62f8559de

C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE.tmp

MD5 19ef0a10a98fc4c3ab8e212b0769b113
SHA1 dc7bec254d12fe47d524161b314f9f9d86fa61a0
SHA256 99fb886799bf12e075483073cec12e3a337c9312aeee9443533badd5463652f7
SHA512 06a4361054771ba8bfebccd811b241c873eb73ccba415a986a9933f75b479f391b2735af31b74ab0d1b65513c3e489e0dd8c1ceab561bab94244bd0d0aaa22d0

C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP

MD5 10ffa9f465b9bcef33023d8e52b2c782
SHA1 5004029a9d70002c2ef7e456ba4f2047bd094480
SHA256 1892dfb65582faa3155e095d247eed19b3f579608cc270e9c0c5fe11ae9d7201
SHA512 e39ade405e6bf048f9bcbf3c655a260945659591edae28cdaf15dd81580696b3a8f49c76d33de7b43f9cf1e4e4f3065a857b4c1e60ff996f89e2dfa1358c24c9

memory/5000-11-0x0000000000D60000-0x0000000000E5F000-memory.dmp

memory/5000-10-0x0000000000400000-0x00000000009DD000-memory.dmp

memory/1192-12-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-20-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-21-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-22-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-23-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-24-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-25-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-26-0x00000000008B0000-0x0000000000A0D000-memory.dmp

memory/1192-27-0x00000000008B0000-0x0000000000A0D000-memory.dmp