danabot | 0ec6e0825a2fc0fad53014005501839b31dad92997612244a573b52decc70435

General

Target

7822715637930a3d172819306ac76fc2.exe
Size

1.1MB
MD5

7822715637930a3d172819306ac76fc2
SHA1

18d152ecbb3e09d2ba7408adfc63be1d7b1d2495
SHA256

0ec6e0825a2fc0fad53014005501839b31dad92997612244a573b52decc70435
SHA512

73468c20dc5f7a309f00e946842987d013c07f5bfdcaa092c40e87f2326e490fbf53908ea134a5cacc1eac4d4d45d9fe4a1c1007b23b316ec628f2df24fda814
SSDEEP

24576:4p2So7/OUM34T7Nhf4hG+94ji9qoCtXBACgxZyPKHBSNE46hlYL:QorOpovNhlY4jGChBACWoKHB/4WlYL

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2292-8-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\782271~1.TMP	DanabotLoader2021
behavioral1/memory/2292-12-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-20-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-21-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-22-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-23-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-24-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-25-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-26-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-27-0x0000000000A10000-0x0000000000B6D000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2292 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2292 rundll32.exe

flow	pid	process
2	2292	rundll32.exe

pid	process
2292	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7822715637930a3d172819306ac76fc2.exe

description	pid	process	target process
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 2644 wrote to memory of 2292	2644	7822715637930a3d172819306ac76fc2.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7822715637930a3d172819306ac76fc2.exe
"C:\Users\Admin\AppData\Local\Temp\7822715637930a3d172819306ac76fc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\782271~1.TMP,S C:\Users\Admin\AppData\Local\Temp\782271~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\782271~1.TMP

Filesize
1.3MB

MD5
4c66eb935f2a3c3a9e61943803c871a1

SHA1
ff5438e02685d3b74db407cf0444f79f3a72bf59

SHA256
890d9cb939c6aebecf82c8c575fbe1458c33892420764057c035fdfc1b660231

SHA512
5e937373b26670c70cac81056e4d2002aa1a25d53ed38db8fc20cc5958e7350a92a116daa8a972f9fd6426d06b7ca21aee4b3df2eb135f1c90958a428aab7561

Download Submit
memory/2292-22-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-23-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-12-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-27-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-20-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-26-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-25-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-21-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-8-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2292-24-0x0000000000A10000-0x0000000000B6D000-memory.dmp

Filesize
1.4MB

Download
memory/2644-5-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2644-0-0x0000000002D50000-0x0000000002E39000-memory.dmp

Filesize
932KB

Download
memory/2644-11-0x0000000002D50000-0x0000000002E39000-memory.dmp

Filesize
932KB

Download
memory/2644-9-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2644-10-0x0000000004690000-0x000000000478E000-memory.dmp

Filesize
1016KB

Download
memory/2644-2-0x0000000004690000-0x000000000478E000-memory.dmp

Filesize
1016KB

Download
memory/2644-1-0x0000000002D50000-0x0000000002E39000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing