danabot | d876e1d5484e794c97573bb5e21ccd4cbb0d82abb2af83c2e4bb765caad8d43e

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:42

Target

751f5e9792c7dc915852167ef26bccb8.exe
Size

1.2MB
MD5

751f5e9792c7dc915852167ef26bccb8
SHA1

309c133c89120b879224273967e1935f93bdd3ad
SHA256

d876e1d5484e794c97573bb5e21ccd4cbb0d82abb2af83c2e4bb765caad8d43e
SHA512

741b56f070d4cccfcb84da0ec5bacc87d43a236a5b565fa54781f5e11eccd5b70aae68002de9538db1ba6b216b750f8a340a0d490f1e6ac5433265a2cb5b37b5
SSDEEP

24576:tkd3TK2y6Rg1Z55FkU3XfUHwdluBdZVKP4D/OPsOpF:tKDy6Rg1BqOUGlWGP4DosOp

Score

10^/10

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000012257-6.dat	DanabotLoader2021
behavioral1/memory/2092-9-0x0000000001EF0000-0x000000000204E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2092-12-0x0000000001EF0000-0x000000000204E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2092-20-0x0000000001EF0000-0x000000000204E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2092-21-0x0000000001EF0000-0x000000000204E000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2092	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
2092	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

751f5e9792c7dc915852167ef26bccb8.exe

description	pid	Process	procid_target
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28
PID 2508 wrote to memory of 2092	2508	751f5e9792c7dc915852167ef26bccb8.exe	28

C:\Users\Admin\AppData\Local\Temp\751f5e9792c7dc915852167ef26bccb8.exe
"C:\Users\Admin\AppData\Local\Temp\751f5e9792c7dc915852167ef26bccb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\751F5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\751F5E~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2092

C:\Users\Admin\AppData\Local\Temp\751F5E~1.TMP

Filesize
1.3MB

MD5
1c78e599c4cd81a8d24b261d3bcf4edb

SHA1
5b57d44ca8a87d2f00dd1425854b9dce5b1359ed

SHA256
b07c448bfca39a69d5f715d7a780a6524365040b1ccb048ed643ee3f0ab605ff

SHA512
83a0a69f297c0774da9257e25f19b318b1b66b0769dd6852ad61874bc75bf8058b6ac2478564e6aca891b9ec811ed17186f05eea94083f14fa4c0acc0946d8e2

Download Submit
memory/2092-9-0x0000000001EF0000-0x000000000204E000-memory.dmp

Filesize
1.4MB

Download
memory/2092-12-0x0000000001EF0000-0x000000000204E000-memory.dmp

Filesize
1.4MB

Download
memory/2092-20-0x0000000001EF0000-0x000000000204E000-memory.dmp

Filesize
1.4MB

Download
memory/2092-21-0x0000000001EF0000-0x000000000204E000-memory.dmp

Filesize
1.4MB

Download
memory/2508-0-0x0000000004B40000-0x0000000004C2A000-memory.dmp

Filesize
936KB

Download
memory/2508-1-0x0000000004B40000-0x0000000004C2A000-memory.dmp

Filesize
936KB

Download
memory/2508-2-0x0000000004C30000-0x0000000004D2F000-memory.dmp

Filesize
1020KB

Download
memory/2508-5-0x0000000000400000-0x0000000003329000-memory.dmp

Filesize
47.2MB

Download
memory/2508-7-0x0000000000400000-0x0000000003329000-memory.dmp

Filesize
47.2MB

Download
memory/2508-10-0x0000000004C30000-0x0000000004D2F000-memory.dmp

Filesize
1020KB

Download
memory/2508-11-0x0000000004B40000-0x0000000004C2A000-memory.dmp

Filesize
936KB

Download