danabot | 0ffddce470010278a1e5545d5c616def34d6c4b21ac1152a11de5aa48792fb77

General

Target

57b388d86cf9eeac704fc629587c82bd.exe
Size

1.2MB
MD5

57b388d86cf9eeac704fc629587c82bd
SHA1

75b34c11d1efdcc6763a8290880267c59f5e497c
SHA256

0ffddce470010278a1e5545d5c616def34d6c4b21ac1152a11de5aa48792fb77
SHA512

c791c6ce54d2a6d299675c5c3ad58aefd18e7bb89390d7a4997a6a0570e78f6a0fee20c2bf3f9b27c99c1abdc36a0e101238df130d3cce42425d431279c33a9a
SSDEEP

24576:BEXMeW1VIC29ja0qwyajfytMdDRdL8yBuSKj:u8ezrAwatMt7pBq

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 13 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023110-8.dat	DanabotLoader2021
behavioral2/files/0x0009000000023110-7.dat	DanabotLoader2021
behavioral2/memory/2916-9-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/files/0x0009000000023110-6.dat	DanabotLoader2021
behavioral2/memory/2916-12-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-20-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-21-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-22-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-23-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-24-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-25-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-26-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021
behavioral2/memory/2916-27-0x00000000022A0000-0x00000000023FD000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
126	2916	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	rundll32.exe
2916	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	4432	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2916	4432	57b388d86cf9eeac704fc629587c82bd.exe	90
PID 4432 wrote to memory of 2916	4432	57b388d86cf9eeac704fc629587c82bd.exe	90
PID 4432 wrote to memory of 2916	4432	57b388d86cf9eeac704fc629587c82bd.exe	90

C:\Users\Admin\AppData\Local\Temp\57b388d86cf9eeac704fc629587c82bd.exe
"C:\Users\Admin\AppData\Local\Temp\57b388d86cf9eeac704fc629587c82bd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\57B388~1.TMP,S C:\Users\Admin\AppData\Local\Temp\57B388~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 444
  2⤵
  - Program crash
  PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4432 -ip 4432
1⤵
PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57B388~1.EXE.tmp

Filesize
350KB

MD5
f2d0fdbdab767884c38e3c15ae5736b6

SHA1
b631a8e2e64ba57fce0bdc963ef63cec3d711442

SHA256
734d92bc4d9b613b547e39a242ff618410730f2692d7cb0ec9f76fa431ee8a40

SHA512
3b065a828bfde6f56295a1cdb78d7413c874ec33d9706c8cbedff9e7e40f4221a843b75202a9d15acd31457ff707d1e77f084814a6a57a182d401b0abfaf25e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\57B388~1.EXE.tmp

Filesize
269KB

MD5
af08a6b94628324cd3b56a25be908f2c

SHA1
560c4cb0e9bfb7b8e74780bf37cd578a82d0497c

SHA256
8e512f8b421268324467095f1be77e128334fffc8fc3d259733c5955829b04cc

SHA512
20105f04d5c78f23eaea8731e33c6e15f4aad78619ebbf04811ac8de11925b33a22d5de3b88b82b0ed7cd9653e2fbc33821313b7fe68d6d1f98eb85fef723721

Download Submit
C:\Users\Admin\AppData\Local\Temp\57B388~1.TMP

Filesize
396KB

MD5
c06388e5b83fc5aa83d133236129ce36

SHA1
8c3da4e1dd888b3f848062559691efc76682c014

SHA256
3adf07abbb11dca5fb4726744b4aac4dda80cbddf2c0a937e0642e08d15396e9

SHA512
e9fbd70e5e1225f1ed5989d13cb0172cb94fdc790788492cb664a59530de13f685650e180d68bdb8d652f98d95f3e489452d23b7341d4b8b3fb3fbb0fd615f0b

Download Submit
memory/2916-22-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-23-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-9-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-27-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-26-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-25-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-12-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-20-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-21-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/2916-24-0x00000000022A0000-0x00000000023FD000-memory.dmp

Filesize
1.4MB

Download
memory/4432-5-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/4432-1-0x0000000000AB0000-0x0000000000B9B000-memory.dmp

Filesize
940KB

Download
memory/4432-11-0x0000000000CD0000-0x0000000000DCE000-memory.dmp

Filesize
1016KB

Download
memory/4432-10-0x0000000000400000-0x00000000009DE000-memory.dmp

Filesize
5.9MB

Download
memory/4432-2-0x0000000000CD0000-0x0000000000DCE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing