danabot | 1e51f18092d8b33ce540f0be383e973e3bb962de84630144d4a40f70d74551f3

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54415694e11467be54aa0e5fc0c63ee5.exe
Size

1.0MB
MD5

54415694e11467be54aa0e5fc0c63ee5
SHA1

adb1fa18fc275e98e26660621b74ee188fb0b66b
SHA256

1e51f18092d8b33ce540f0be383e973e3bb962de84630144d4a40f70d74551f3
SHA512

cebffcba8a75b2cac7ecbca1b62c1e1862f364d24ded2ab4541bb92cd1448bcad30d03b01b3faaf94d1602f56ca1bd720d76da782762df35f90f54191c69ec42
SSDEEP

24576:mZlJEIt2wdfQlda/BnHUmdtqqAqMenRFNEuA5u0u5XjO+MG1c:mZ3EIt2wdyElnAqMekiX

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

192.210.222.81:443

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
100700D372965A717E89B8C909E1D8D4
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\544156~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\544156~1.DLL	DanabotLoader2021
behavioral1/memory/1904-13-0x0000000000BE0000-0x0000000000D41000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\544156~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\544156~1.DLL	DanabotLoader2021
behavioral1/memory/1904-15-0x0000000000BE0000-0x0000000000D41000-memory.dmp	DanabotLoader2021
behavioral1/memory/1904-29-0x0000000000BE0000-0x0000000000D41000-memory.dmp	DanabotLoader2021
behavioral1/memory/1904-30-0x0000000000BE0000-0x0000000000D41000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1904 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1904 rundll32.exe
1904 rundll32.exe
1904 rundll32.exe
1904 rundll32.exe

flow	pid	process
2	1904	rundll32.exe

pid	process
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

54415694e11467be54aa0e5fc0c63ee5.exe

description	pid	process	target process
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe
PID 1044 wrote to memory of 1904	1044	54415694e11467be54aa0e5fc0c63ee5.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\54415694e11467be54aa0e5fc0c63ee5.exe
"C:\Users\Admin\AppData\Local\Temp\54415694e11467be54aa0e5fc0c63ee5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\544156~1.DLL,s C:\Users\Admin\AppData\Local\Temp\544156~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\544156~1.DLL
Filesize
1.0MB

MD5
5c97d91f2a924a463e17f869fdd3c2a8

SHA1
ba24a02d615206d9242c15bddcb3bfe8ee082d5d

SHA256
25039d211bee38f85fa6cb7fd02ff147e0dd229a11d878aa68082d4684c72427

SHA512
40b2c6146a1d19d9c9ea14916c9ef9c7ef74b925a5ab1bc584e0c8c03d30abc254c85ef0a48492ff60164eccecbe67c48212a0079ded2de7861c4a79479f8bcd

Download Submit
\Users\Admin\AppData\Local\Temp\544156~1.DLL
Filesize
123KB

MD5
e13082e90e78f8d6fd21a0a88528faf0

SHA1
78174c3b7889c71ec0cd7f0abc5794ea4765c7fc

SHA256
67f79a16248bf3b26a5ab0095b70bc1fce6d9786dc7bb80222fc138d5ee3e88f

SHA512
4ad8c7a073d250069edb6a527e278ed431a74f9abfaa999de97db14ff4d2b6cb8949d14606ff62b3efdf2cf158a5930f9e81995bf8d0b976099602b669886ae4

Download Submit
\Users\Admin\AppData\Local\Temp\544156~1.DLL
Filesize
115KB

MD5
eb4ebd4c9939ff2155dafd7658664da5

SHA1
cbc1a12ae9c537ca3271a2c12e26d01cdf439559

SHA256
9e9c2715ed7507d3fd2ea7820c76f522afe74f6fc02273c36b6dee30e6f4f51b

SHA512
ab5a4d9de1ad5e3a825855a32e266f54eae360aa5f9dd4b7f36e4f94833e3cb1b110e2d3401dab45ed6b77db7919a2ba128cca709a98572cef511aef51a40caf

Download Submit
\Users\Admin\AppData\Local\Temp\544156~1.DLL
Filesize
385KB

MD5
6b6d28a418f7f085466a075381768c77

SHA1
97f10d2db9fc6bac1c1fe3698e9e0faddb18a506

SHA256
5c2e71b09ec2aa888d98f99fb86b818ca26bc89725e9f434b12255deaa7ddade

SHA512
00ff1cf4dec8e0ba164cb8282016135a53eba4424ce318cb841f9bb3e952ad56813b834fcebac4b4019d034e61a83196be119552433a331cb550be74aa5411dd

Download Submit
memory/1044-2-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1044-14-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1044-26-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1904-13-0x0000000000BE0000-0x0000000000D41000-memory.dmp

Filesize
1.4MB

Download
memory/1904-15-0x0000000000BE0000-0x0000000000D41000-memory.dmp

Filesize
1.4MB

Download
memory/1904-29-0x0000000000BE0000-0x0000000000D41000-memory.dmp

Filesize
1.4MB

Download
memory/1904-30-0x0000000000BE0000-0x0000000000D41000-memory.dmp

Filesize
1.4MB

Download