danabot | 44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1

General

Target

80b5b9ab063c20e31fe018e04790a2e0.exe
Size

1.2MB
MD5

80b5b9ab063c20e31fe018e04790a2e0
SHA1

46ef1d41f5fd7c9601250f2c88f3e7444af38314
SHA256

44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1
SHA512

2b445956bb55f91093a3942af3c591a203c922cf0e20334968405da8eda1acbcb41d31c3fa91d7579eba6d459e2405b5df53b3a2368d08a56e9a525272ae95df
SSDEEP

24576:V6E5R3KVcpLFO7WB0Ul4ErLvZv3b3l6ylYlR7LmiIA:JR3WclabUl4ErLvZP7sgaBLm

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\80B5B9~1.TMP	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\80B5B9~1.TMP	DanabotLoader2021
behavioral1/memory/2088-9-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-11-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-19-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-20-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-21-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-22-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-23-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-24-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-25-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021
behavioral1/memory/2088-26-0x0000000000970000-0x0000000000ACD000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2088 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2088 rundll32.exe

flow	pid	process
2	2088	rundll32.exe

pid	process
2088	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

80b5b9ab063c20e31fe018e04790a2e0.exe

description	pid	process	target process
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe
PID 2476 wrote to memory of 2088	2476	80b5b9ab063c20e31fe018e04790a2e0.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\80b5b9ab063c20e31fe018e04790a2e0.exe
"C:\Users\Admin\AppData\Local\Temp\80b5b9ab063c20e31fe018e04790a2e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\80B5B9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\80B5B9~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80B5B9~1.TMP

Filesize
927KB

MD5
bd6af12afe93209acb2593efe93b54aa

SHA1
6ae8553dd2283cef4030d0cb503ceaae95bdab2e

SHA256
363bd2e59b1ea0f30493f10d30a4bceef4fe5bfaf1b7bbe6d4493c23df543e87

SHA512
f755717b8a7b892c9b2bbd6dd4c85fe374b8d4d9dc3da4494469b01314dd076d855f4c4196accf3f3528de0a6eaf2a6eda73e2f8f106f9af624890ddd09f3d0f

Download Submit
\Users\Admin\AppData\Local\Temp\80B5B9~1.TMP

Filesize
839KB

MD5
46c37b5f7429e5274a271af1a0c1953b

SHA1
ea431f6fbfe660c391d3eca373e77b7316cccc72

SHA256
f5d40e9b20aeae5847d01541c76baf2ec47e4b8ef3ccacc1be382a70f7688a6c

SHA512
ce6a1e14261be79309296786951122e3d3af5c059eb1ea6420c0f7e4e90053e9eeec09cba429c7b07191bcac2e198752463283c478c96c336e55eecb4a174ecf

Download Submit
memory/2088-21-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-26-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-25-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-24-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-23-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-9-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-22-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-11-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-19-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2088-20-0x0000000000970000-0x0000000000ACD000-memory.dmp

Filesize
1.4MB

Download
memory/2476-7-0x0000000000400000-0x00000000033CB000-memory.dmp

Filesize
47.8MB

Download
memory/2476-10-0x0000000004C70000-0x0000000004D6E000-memory.dmp

Filesize
1016KB

Download
memory/2476-5-0x0000000000400000-0x00000000033CB000-memory.dmp

Filesize
47.8MB

Download
memory/2476-0-0x00000000033D0000-0x00000000034B9000-memory.dmp

Filesize
932KB

Download
memory/2476-1-0x00000000033D0000-0x00000000034B9000-memory.dmp

Filesize
932KB

Download
memory/2476-2-0x0000000004C70000-0x0000000004D6E000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing