danabot | ae4f84c437fa84a00d09e2fc184cf821cdddfaa3d2c516951316adad3e8d5434

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac845987468dc8a6880fa5ee0143ef3.exe
Size

1.1MB
MD5

8ac845987468dc8a6880fa5ee0143ef3
SHA1

81ca330b6e548f1b05da8a330704c1c4e9358f58
SHA256

ae4f84c437fa84a00d09e2fc184cf821cdddfaa3d2c516951316adad3e8d5434
SHA512

314564e0119804c6bdb7f213ff024b35c7ae737e93508076468df10229701611e60abad5c101a9b376430a646223d6500df724c5b70ac0b188ec7d9f1eb07888
SSDEEP

24576:t+KEpCx7CCrJKAE3z8bRgAZug3ZCE12ueXu2QpLUvNStfbdCxady2O8U6:t+z+N2zuRgAMgQE8QZU1Stf4Zpf

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.229.29.48:443

152.89.247.31:443

192.210.222.81:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8AC845~1.TMP	DanabotLoader2021
behavioral1/memory/2292-9-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-11-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-19-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-20-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-21-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-22-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-23-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-24-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-25-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2292-26-0x0000000001E20000-0x0000000001F7E000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2292 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2292 rundll32.exe

flow	pid	process
2	2292	rundll32.exe

pid	process
2292	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8ac845987468dc8a6880fa5ee0143ef3.exe

description	pid	process	target process
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe
PID 1256 wrote to memory of 2292	1256	8ac845987468dc8a6880fa5ee0143ef3.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8ac845987468dc8a6880fa5ee0143ef3.exe
"C:\Users\Admin\AppData\Local\Temp\8ac845987468dc8a6880fa5ee0143ef3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8AC845~1.TMP,S C:\Users\Admin\AppData\Local\Temp\8AC845~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8AC845~1.TMP

Filesize
1.3MB

MD5
3fc84ffac4d5247b70ea4f497d55f5d9

SHA1
24d7aacab45d49c007b5bd9c369445fbcd80ebec

SHA256
ffd8fdaa548d951f98e0c2596f8e12a001db137142ece3c4f05bda056c0bc85d

SHA512
f551e891e50e1966ea132eb68102276bf66edab5147f6bdc24f55b05e7d8edccfd3650413e57f2d77970e848f179201ffc23ed89b58e67a8f3ebc6876e4b0ecd

Download Submit
memory/1256-10-0x0000000002650000-0x0000000002751000-memory.dmp

Filesize
1.0MB

Download
memory/1256-1-0x00000000002F0000-0x00000000003DB000-memory.dmp

Filesize
940KB

Download
memory/1256-2-0x0000000002650000-0x0000000002751000-memory.dmp

Filesize
1.0MB

Download
memory/1256-7-0x0000000000400000-0x000000000248C000-memory.dmp

Filesize
32.5MB

Download
memory/1256-5-0x0000000000400000-0x000000000248C000-memory.dmp

Filesize
32.5MB

Download
memory/1256-0-0x00000000002F0000-0x00000000003DB000-memory.dmp

Filesize
940KB

Download
memory/2292-11-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-9-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-19-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-20-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-21-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-22-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-23-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-24-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-25-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download
memory/2292-26-0x0000000001E20000-0x0000000001F7E000-memory.dmp

Filesize
1.4MB

Download