danabot | 0ec6e0825a2fc0fad53014005501839b31dad92997612244a573b52decc70435

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7822715637930a3d172819306ac76fc2.exe
Size

1.1MB
MD5

7822715637930a3d172819306ac76fc2
SHA1

18d152ecbb3e09d2ba7408adfc63be1d7b1d2495
SHA256

0ec6e0825a2fc0fad53014005501839b31dad92997612244a573b52decc70435
SHA512

73468c20dc5f7a309f00e946842987d013c07f5bfdcaa092c40e87f2326e490fbf53908ea134a5cacc1eac4d4d45d9fe4a1c1007b23b316ec628f2df24fda814
SSDEEP

24576:4p2So7/OUM34T7Nhf4hG+94ji9qoCtXBACgxZyPKHBSNE46hlYL:QorOpovNhlY4jGChBACWoKHB/4WlYL

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\782271~1.TMP	DanabotLoader2021
behavioral2/memory/3676-11-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-19-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-20-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-21-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-22-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-23-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-24-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-25-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021
behavioral2/memory/3676-26-0x0000000000400000-0x000000000055D000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

50 3676 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3676 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2564 3292 WerFault.exe 7822715637930a3d172819306ac76fc2.exe

flow	pid	process
50	3676	rundll32.exe

pid	process
3676	rundll32.exe

pid	pid_target	process	target process
2564	3292	WerFault.exe	7822715637930a3d172819306ac76fc2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7822715637930a3d172819306ac76fc2.exe

description	pid	process	target process
PID 3292 wrote to memory of 3676	3292	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 3292 wrote to memory of 3676	3292	7822715637930a3d172819306ac76fc2.exe	rundll32.exe
PID 3292 wrote to memory of 3676	3292	7822715637930a3d172819306ac76fc2.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7822715637930a3d172819306ac76fc2.exe
"C:\Users\Admin\AppData\Local\Temp\7822715637930a3d172819306ac76fc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\782271~1.TMP,S C:\Users\Admin\AppData\Local\Temp\782271~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 520
2⤵
- Program crash
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3292 -ip 3292
1⤵
PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\782271~1.TMP
Filesize
1.3MB

MD5
4c66eb935f2a3c3a9e61943803c871a1

SHA1
ff5438e02685d3b74db407cf0444f79f3a72bf59

SHA256
890d9cb939c6aebecf82c8c575fbe1458c33892420764057c035fdfc1b660231

SHA512
5e937373b26670c70cac81056e4d2002aa1a25d53ed38db8fc20cc5958e7350a92a116daa8a972f9fd6426d06b7ca21aee4b3df2eb135f1c90958a428aab7561

Download Submit
memory/3292-1-0x0000000004AF0000-0x0000000004BDA000-memory.dmp

Filesize
936KB

Download
memory/3292-2-0x0000000004BF0000-0x0000000004CEE000-memory.dmp

Filesize
1016KB

Download
memory/3292-5-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3292-8-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/3292-10-0x0000000004BF0000-0x0000000004CEE000-memory.dmp

Filesize
1016KB

Download
memory/3676-11-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-19-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-20-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-21-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-22-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-23-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-24-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-25-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/3676-26-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download