Malware Analysis Report

2024-11-13 15:32

Sample ID 240129-e1dgvahgf7
Target 7ee0c1c8f76bd87982f5e238d7cf44d3
SHA256 987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016

Threat Level: Known bad

The file 7ee0c1c8f76bd87982f5e238d7cf44d3 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Blocklisted process makes network request

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-29 04:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 04:24

Reported

2024-01-29 04:26

Platform

win7-20231215-en

Max time kernel

147s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe

"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/3012-0-0x0000000002490000-0x000000000257F000-memory.dmp

memory/3012-1-0x0000000002490000-0x000000000257F000-memory.dmp

memory/3012-2-0x0000000003CE0000-0x0000000003DE6000-memory.dmp

memory/3012-5-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3012-6-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3012-8-0x0000000003CE0000-0x0000000003DE6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 5caf1eb57c3efd67b774c509c43739a1
SHA1 7d84ff3efbf98b024d5886322cd32de96f9aed94
SHA256 03cab90f7e002834e22cc826e01c37f1d81623e9f65e5dfab6ab591fc54f99f7
SHA512 7dae6c9452def66d2af95d7810fc56e87b245a700b246c6d8bcd396c57bd6fc3f6b9157f3b6a59694ad478fc32d2fd30eb1c923000e762eae90a7e984298e7d0

C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 ff8e1b1d905f4e3e92f9844192d7cb36
SHA1 8278a8bd4d5d4b4883872f6939938f4a16ae8066
SHA256 195901fd26584a95e7851f93df8d21bb51328dad8c4eb2e92bdbae220ab018d6
SHA512 7053f9021026d10f06cb7ee7b6880b6d8cfdfac46f89bb4e128ee3d6c5e321f9d9639394be739e819172ca03ebeb2be89af949fce8eb64f798bb00f9d09842ba

memory/2980-18-0x0000000001F70000-0x00000000020D2000-memory.dmp

\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 6ec6a40190161b95c184941d28d5efd6
SHA1 18a8f39396b713f9287dc24fb7170d86f48eb5a4
SHA256 19495a3aac0f4cdc06aab461ccf5d10922764266de594b5b627d8c25475f6f78
SHA512 7cc63910f6e70355cc6bd7ef4e7a16cb5e26c4529371bf944c16c09afa12fc5a5ac90bf6148378191a9fa15b874d563b91b332e9c573576ac62bd1427414171e

\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 295dc34770ba49bcb23f9c80eea7830f
SHA1 a5eed3d00ebc06242943d736dcb04681c633c62d
SHA256 6f4cfaa9d6647c81b5f190381c956aa27c57e69ae94e121aefb15adbe30a8346
SHA512 6fd011e393a7d809e8cee90d3eae1149caa5b37ba24030ff310c949217c8b4cc2a066890188634140487d9f0d01957d54b154e983ee1cf83be466ef5a8adb511

\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 d016f3e44b1e9e0c2ac74dea34a1d392
SHA1 3991345c926597a96b90c23a8111d37cbf744433
SHA256 2725fc65da527a545f4b8a31a959c290048254d828e745434e11d1f610f90a4c
SHA512 307fa3e0c246a64b5e3545cec225b7be307855fea3681be1f4095e3a40198357a9be2d891a5b17ca4f5713b1d69b985f448a63e3453834d30a971c9b59c56da9

memory/3012-19-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2980-20-0x0000000001F70000-0x00000000020D2000-memory.dmp

memory/3012-31-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2980-32-0x0000000001F70000-0x00000000020D2000-memory.dmp

memory/2980-33-0x0000000001F70000-0x00000000020D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 04:24

Reported

2024-01-29 04:26

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"

Signatures

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe

"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 23.229.29.48:443 tcp

Files

memory/5096-1-0x0000000004310000-0x000000000440E000-memory.dmp

memory/5096-2-0x0000000004410000-0x0000000004516000-memory.dmp

memory/5096-5-0x0000000000400000-0x000000000248D000-memory.dmp

memory/5096-6-0x0000000000400000-0x000000000248D000-memory.dmp

memory/5096-7-0x0000000004410000-0x0000000004516000-memory.dmp

memory/5096-9-0x0000000004310000-0x000000000440E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE.dll

MD5 3952f26fd6c69c0c9fbd9b61297620be
SHA1 2021cd9f36b2ce337e72ea462b263cc8d9d0e23a
SHA256 8de9d904165326ee53d6c20ca16eeb49d6edb51ddab819c0d01dc5f460f1b2e3
SHA512 030fd2fb02324a0172aa1016ea32b3452de1ab2b607bc238db43df33f97fe8900476a959db7a9cd9b4b39f90a4b79bacab717afc252e42e213b6fe97047f3951

C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL

MD5 fa7d658b3094ef34ae19739b484fea03
SHA1 9afe58a02d4035a1cdc4e7be19daae648e49325b
SHA256 420e9c8370046ddfb78aee19873592b139ee60b86094047a16dab3beab1c7566
SHA512 f3429dbff0e7724d7aaa363ab27cb9bc2f0caec4c6d636a546ad4ed54dbf3f186a29b21ca2eb328755424c5c053ace7ce8775b76abb37de7c3bd4b8afe8eb038

memory/1444-17-0x0000000002080000-0x00000000021E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE.dll

MD5 855b8d8136c9ec7e054c3474839c95a6
SHA1 b22b38d85a8e2dcc818d13e79f7f7896ca85479e
SHA256 1482500b25fdbe783c8d30f5b1bcb2219fc323706000de7689b5250e78be1d6f
SHA512 c4c39b34d68a52eb8476ee3d459b1b4455d0812d7216d20a4180f171af5204b9dad30fd86cfa773905c07aff44f47bbe309c36db4e07c7128e8a98f7ddeae309

memory/5096-18-0x0000000000400000-0x000000000248D000-memory.dmp

memory/1444-19-0x0000000002080000-0x00000000021E2000-memory.dmp

memory/5096-30-0x0000000000400000-0x000000000248D000-memory.dmp

memory/1444-31-0x0000000002080000-0x00000000021E2000-memory.dmp

memory/1444-32-0x0000000002080000-0x00000000021E2000-memory.dmp