danabot | 1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f8f5be06bf789146526e520a66be571.exe
Size

1.2MB
MD5

7f8f5be06bf789146526e520a66be571
SHA1

629681e69d3759d2085aa2c037c8c6fca4045ea2
SHA256

1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
SHA512

4c396b8dadfd446f11b644ad33042e0c6fa19b418c02d744f4bda5409732b3b1601cc3bff191cb5a8a10f676672d0c662705420a1b4306f142a6a897a09210aa
SSDEEP

24576:wAUndkOGbeIL4GZfKiE8q34N+/J8b5uRLDOmY1NY6NDaJm6bPCPR:rAkP0GZnEB4NW8bk1D4TY4

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

36 4368 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4368 rundll32.exe
4368 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3772 1432 WerFault.exe 7f8f5be06bf789146526e520a66be571.exe

flow	pid	process
36	4368	rundll32.exe

pid	process
4368	rundll32.exe
4368	rundll32.exe

pid	pid_target	process	target process
3772	1432	WerFault.exe	7f8f5be06bf789146526e520a66be571.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7f8f5be06bf789146526e520a66be571.exe

description	pid	process	target process
PID 1432 wrote to memory of 4368	1432	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe
PID 1432 wrote to memory of 4368	1432	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe
PID 1432 wrote to memory of 4368	1432	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe
"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 540
2⤵
- Program crash
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1432 -ip 1432
1⤵
PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE.tmp

Filesize
456KB

MD5
be6ae0e5e56124e4d7988b2fded71593

SHA1
590708d08b14a18572cf667d5c3be47bf4c0ee7d

SHA256
634e9f4707aa6ad15a07aaf1989b139981d192585063b9f107a960d628c36393

SHA512
aabec19d6eac770b58452bf4112984abcd21e4116f48e6658d8c518342b4359baebaa5cae7da148d96d4918bb4ff24e858f3abc2a3f063b2b6b9f306a5f84f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE.tmp

Filesize
372KB

MD5
86932bc86c44484a1ddef9961d2f26b9

SHA1
d0c98e82543e2d62fe3ddaaf69f8e5c4da8bd52e

SHA256
05c4700e7bdfde97198315dd820cfb728a4608c3c7f2d58fd5b2ada87206af3e

SHA512
9beb70f8edc569bdbce5aec49b9f5a2c8ff820717ba746da6510df2cc02f37ec60dec3ea506015d79ef5516bc902eba190dbeb4b20601063e87b1bb8e0979159

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP

Filesize
540KB

MD5
6880ca3d7b614ad190b5e2fc24aff359

SHA1
004aa770c9844965127c1089bce83ac40462602f

SHA256
63c16677467402586ccecc13f44bd1ebe7389163b2a0d44858fe28d3c295e7e8

SHA512
762708874af80248bdff74dcc92014772626af23cad8c8d9a904fd163cf43218208e9c4820a6bc2267dce4ab37449e30232e283046876a2a4116ce1f693a1f72

Download Submit
memory/1432-11-0x0000000002380000-0x0000000002480000-memory.dmp

Filesize
1024KB

Download
memory/1432-1-0x0000000002290000-0x0000000002380000-memory.dmp

Filesize
960KB

Download
memory/1432-3-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/1432-2-0x0000000002380000-0x0000000002480000-memory.dmp

Filesize
1024KB

Download
memory/1432-10-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4368-20-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-12-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-9-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-21-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-22-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-23-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-24-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-25-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-26-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download
memory/4368-27-0x0000000002560000-0x00000000026BE000-memory.dmp

Filesize
1.4MB

Download