danabot | d3657dd474e857255ae3ea6f0faabb6f9a6f7bf77423042e5eb827a9cb72d17a

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 16:36

Target

7abd12f4c0935b02395fed41d3eabb22.exe
Size

1.1MB
MD5

7abd12f4c0935b02395fed41d3eabb22
SHA1

ce09d720002bb05e8c0353dcd472c5cd10ce49df
SHA256

d3657dd474e857255ae3ea6f0faabb6f9a6f7bf77423042e5eb827a9cb72d17a
SHA512

edb16078ae88ee21306a7c3737a5dc67fc3a32483edd28fc78f95b578f9c3cd0003ad3c61d595a6177ae652528cc423b43bcb7bc890862025aac862b14c01fc3
SSDEEP

24576:5j3U3V+/lHGb+KKbLJzh7pgyB92I4cl6vZPMUgl:58MphbLJztlcI4Yccl

Score

10^/10

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7ABD12~1.DLL	DanabotLoader2021
behavioral2/memory/4592-17-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/4592-29-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/4592-30-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

40 4592 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4592 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3760 1456 WerFault.exe 7abd12f4c0935b02395fed41d3eabb22.exe

flow	pid	process
40	4592	rundll32.exe

pid	process
4592	rundll32.exe

pid	pid_target	process	target process
3760	1456	WerFault.exe	7abd12f4c0935b02395fed41d3eabb22.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7abd12f4c0935b02395fed41d3eabb22.exe

description	pid	process	target process
PID 1456 wrote to memory of 4592	1456	7abd12f4c0935b02395fed41d3eabb22.exe	rundll32.exe
PID 1456 wrote to memory of 4592	1456	7abd12f4c0935b02395fed41d3eabb22.exe	rundll32.exe
PID 1456 wrote to memory of 4592	1456	7abd12f4c0935b02395fed41d3eabb22.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7abd12f4c0935b02395fed41d3eabb22.exe
"C:\Users\Admin\AppData\Local\Temp\7abd12f4c0935b02395fed41d3eabb22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 504
2⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1456 -ip 1456
1⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\7ABD12~1.DLL

Filesize
1.3MB

MD5
12168013d2d204caa5fc0886d88d5506

SHA1
6b6ef4bf1f4e0506c87364cca941ec0ef0152875

SHA256
7a594c615856cf09eb8247170d99f87349ac1c1f696308578f66bb640d7892d6

SHA512
265d8f9bff822b7f7cd744ea04f067a65c19a11a7c88180c8e32ed47ff5a814a2a65bc5b713f38722f8f8396c1f67bbb476cc02ae674c02dce4c5f7a780a087a

Download Submit
memory/1456-1-0x0000000002680000-0x0000000002774000-memory.dmp

Filesize
976KB

Download
memory/1456-2-0x00000000027B0000-0x00000000028B5000-memory.dmp

Filesize
1.0MB

Download
memory/1456-5-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/1456-6-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/1456-8-0x0000000002680000-0x0000000002774000-memory.dmp

Filesize
976KB

Download
memory/1456-9-0x00000000027B0000-0x00000000028B5000-memory.dmp

Filesize
1.0MB

Download
memory/1456-16-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/1456-28-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/4592-17-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4592-29-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4592-30-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download