Malware Analysis Report

2024-11-13 15:32

Sample ID 240131-dmvcrsaec6
Target 83482a1f9ecee5ec6fd1aa7d19060a07
SHA256 c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1
Tags
danabot 4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1

Threat Level: Known bad

The file 83482a1f9ecee5ec6fd1aa7d19060a07 was found to be: Known bad.

Malicious Activity Summary

danabot 4 banker trojan

Danabot

Danabot Loader Component

Blocklisted process makes network request

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-31 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 03:07

Reported

2024-01-31 03:10

Platform

win7-20231215-en

Max time kernel

143s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe

"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE

Network

Country Destination Domain Proto
US 142.11.244.124:443 tcp

Files

memory/2032-0-0x0000000000750000-0x000000000083B000-memory.dmp

memory/2032-1-0x0000000000750000-0x000000000083B000-memory.dmp

memory/2032-2-0x0000000001FF0000-0x00000000020F0000-memory.dmp

memory/2032-3-0x0000000000400000-0x0000000000546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP

MD5 704af132c566a673c42dafeca9b583eb
SHA1 5f054007a3461aeb6077fccca745882dc7d6eb34
SHA256 b54c72a7a27097d756d1cd9a64a5bfa8069ba5af2ed802df15b91e6d1de20057
SHA512 b75265abe4464130160a68f5791938a82211732e5118fba398ae3f9b87ea8213ca73786bd6e8b2dc219c92e0d23d53a5bb09d6885f6a8a87a4ef657b4c9c0a5d

memory/1088-10-0x00000000004E0000-0x000000000063F000-memory.dmp

\Users\Admin\AppData\Local\Temp\83482A~1.TMP

MD5 78522096af3e878569cade04602d61f1
SHA1 02e0d2a3cd0f9c6eea1e490583434057e77c75eb
SHA256 0fc30092eb96c40dca2e0dce956d79caa5fa74e0754854107507222af285bcab
SHA512 5b5a92f4a4d6a278a46f3377b6b9e2c4aa2f6ae105f819da19a7f7fb704c6fa9900533d0bc1634024d29ddd6650c5e74d51008e5cdca76ee587bc2b589efcfe4

memory/2032-7-0x0000000001FF0000-0x00000000020F0000-memory.dmp

memory/2032-6-0x0000000000400000-0x0000000000546000-memory.dmp

memory/1088-11-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-19-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-20-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-21-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-22-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-23-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-24-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-25-0x00000000004E0000-0x000000000063F000-memory.dmp

memory/1088-26-0x00000000004E0000-0x000000000063F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 03:07

Reported

2024-01-31 03:10

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe

"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3200 -ip 3200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 536

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 142.11.244.124:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/3200-1-0x0000000002340000-0x0000000002437000-memory.dmp

memory/3200-2-0x0000000002440000-0x0000000002540000-memory.dmp

memory/3200-3-0x0000000000400000-0x0000000000546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP

MD5 f748130b5c5ce308eb3d942b368b9e80
SHA1 28bb82301f58f613495612ff78e2ccaa4236a31b
SHA256 dcf1a14c91cb2e9fc312d4a69847ffa8266d77acc9ea8a784bf02501dd0f41d9
SHA512 5fe269b0d14705de654f462955d3f3f0e42c9cda5a0df76bbacbcd5be324f92d32e36e6d2eee514f27b23a7ed657b28c67f8c2274c49ce805ef90ab4722aeebd

C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE.tmp

MD5 ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1 b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA256 3fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA512 5d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537

memory/3200-8-0x0000000000400000-0x0000000000546000-memory.dmp

memory/3200-9-0x0000000002440000-0x0000000002540000-memory.dmp

memory/2216-10-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-18-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-19-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-20-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-21-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-22-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-23-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-24-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2216-25-0x0000000000400000-0x000000000055F000-memory.dmp