danabot | 987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016

General

Target

7ee0c1c8f76bd87982f5e238d7cf44d3.exe
Size

1.1MB
MD5

7ee0c1c8f76bd87982f5e238d7cf44d3
SHA1

6f476c2ac0b7e83605ed9eeafdd0461c807240ac
SHA256

987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
SHA512

a0eefc162bd60a1c7a6770f9b017a94ba185c9802acb975f56372026851b1fff5192f5faed61aff1a4854587c5941fd1456821621fc72bf6fdc0f46e379ed06c
SSDEEP

24576:27l+B6syClv2eGZCFNJ0/CuDOAzKskZJFdyjxzpJDgmvNsXL:eRCl9GZqs/CgxyFI17kmvaXL

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2980 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2980 rundll32.exe
2980 rundll32.exe
2980 rundll32.exe
2980 rundll32.exe

flow	pid	process
2	2980	rundll32.exe

pid	process
2980	rundll32.exe
2980	rundll32.exe
2980	rundll32.exe
2980	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7ee0c1c8f76bd87982f5e238d7cf44d3.exe

description	pid	process	target process
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe
PID 3012 wrote to memory of 2980	3012	7ee0c1c8f76bd87982f5e238d7cf44d3.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe
"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

Filesize
857KB

MD5
ff8e1b1d905f4e3e92f9844192d7cb36

SHA1
8278a8bd4d5d4b4883872f6939938f4a16ae8066

SHA256
195901fd26584a95e7851f93df8d21bb51328dad8c4eb2e92bdbae220ab018d6

SHA512
7053f9021026d10f06cb7ee7b6880b6d8cfdfac46f89bb4e128ee3d6c5e321f9d9639394be739e819172ca03ebeb2be89af949fce8eb64f798bb00f9d09842ba

Download Submit
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

Filesize
200KB

MD5
5caf1eb57c3efd67b774c509c43739a1

SHA1
7d84ff3efbf98b024d5886322cd32de96f9aed94

SHA256
03cab90f7e002834e22cc826e01c37f1d81623e9f65e5dfab6ab591fc54f99f7

SHA512
7dae6c9452def66d2af95d7810fc56e87b245a700b246c6d8bcd396c57bd6fc3f6b9157f3b6a59694ad478fc32d2fd30eb1c923000e762eae90a7e984298e7d0

Download Submit
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

Filesize
129KB

MD5
d016f3e44b1e9e0c2ac74dea34a1d392

SHA1
3991345c926597a96b90c23a8111d37cbf744433

SHA256
2725fc65da527a545f4b8a31a959c290048254d828e745434e11d1f610f90a4c

SHA512
307fa3e0c246a64b5e3545cec225b7be307855fea3681be1f4095e3a40198357a9be2d891a5b17ca4f5713b1d69b985f448a63e3453834d30a971c9b59c56da9

Download Submit
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

Filesize
123KB

MD5
295dc34770ba49bcb23f9c80eea7830f

SHA1
a5eed3d00ebc06242943d736dcb04681c633c62d

SHA256
6f4cfaa9d6647c81b5f190381c956aa27c57e69ae94e121aefb15adbe30a8346

SHA512
6fd011e393a7d809e8cee90d3eae1149caa5b37ba24030ff310c949217c8b4cc2a066890188634140487d9f0d01957d54b154e983ee1cf83be466ef5a8adb511

Download Submit
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

Filesize
125KB

MD5
6ec6a40190161b95c184941d28d5efd6

SHA1
18a8f39396b713f9287dc24fb7170d86f48eb5a4

SHA256
19495a3aac0f4cdc06aab461ccf5d10922764266de594b5b627d8c25475f6f78

SHA512
7cc63910f6e70355cc6bd7ef4e7a16cb5e26c4529371bf944c16c09afa12fc5a5ac90bf6148378191a9fa15b874d563b91b332e9c573576ac62bd1427414171e

Download Submit
memory/2980-33-0x0000000001F70000-0x00000000020D2000-memory.dmp

Filesize
1.4MB

Download
memory/2980-32-0x0000000001F70000-0x00000000020D2000-memory.dmp

Filesize
1.4MB

Download
memory/2980-20-0x0000000001F70000-0x00000000020D2000-memory.dmp

Filesize
1.4MB

Download
memory/2980-18-0x0000000001F70000-0x00000000020D2000-memory.dmp

Filesize
1.4MB

Download
memory/3012-6-0x0000000000400000-0x000000000248D000-memory.dmp

Filesize
32.6MB

Download
memory/3012-8-0x0000000003CE0000-0x0000000003DE6000-memory.dmp

Filesize
1.0MB

Download
memory/3012-0-0x0000000002490000-0x000000000257F000-memory.dmp

Filesize
956KB

Download
memory/3012-19-0x0000000000400000-0x000000000248D000-memory.dmp

Filesize
32.6MB

Download
memory/3012-5-0x0000000000400000-0x000000000248D000-memory.dmp

Filesize
32.6MB

Download
memory/3012-31-0x0000000000400000-0x000000000248D000-memory.dmp

Filesize
32.6MB

Download
memory/3012-2-0x0000000003CE0000-0x0000000003DE6000-memory.dmp

Filesize
1.0MB

Download
memory/3012-1-0x0000000002490000-0x000000000257F000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing