danabot | 3dbbf4a443427bd73efeed8ddd467c02f7d8a30b10f944f11e0ffe43e5783d53

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 01:11

Target

8dd817cc7742d1cdd9c4ea682c38983f.exe
Size

1.1MB
MD5

8dd817cc7742d1cdd9c4ea682c38983f
SHA1

aec12b0211a94b4faf7cc674b393cd25cd5167aa
SHA256

3dbbf4a443427bd73efeed8ddd467c02f7d8a30b10f944f11e0ffe43e5783d53
SHA512

8159b623e509c1061a8f4885911e74b0d3c13948306b9ea551ad4b2cd3f222ef8f5943860c1b7d6c12a44b0da5f36c5987f63138e986a2e4d197e4016b6c5088
SSDEEP

24576:eVgGBOf0ajwXSZ60b38/Bv/neCpCgi7aMJnOB1z0oT:efajww67Bv/eNvpOr0oT

Score

10^/10

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8DD817~1.DLL	DanabotLoader2021
behavioral1/memory/2664-17-0x00000000003C0000-0x0000000000521000-memory.dmp	DanabotLoader2021
behavioral1/memory/2664-19-0x00000000003C0000-0x0000000000521000-memory.dmp	DanabotLoader2021
behavioral1/memory/2664-31-0x00000000003C0000-0x0000000000521000-memory.dmp	DanabotLoader2021
behavioral1/memory/2664-32-0x00000000003C0000-0x0000000000521000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2664 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2664 rundll32.exe
2664 rundll32.exe
2664 rundll32.exe
2664 rundll32.exe

flow	pid	process
2	2664	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8dd817cc7742d1cdd9c4ea682c38983f.exe

description	pid	process	target process
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 3000 wrote to memory of 2664	3000	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8dd817cc7742d1cdd9c4ea682c38983f.exe
"C:\Users\Admin\AppData\Local\Temp\8dd817cc7742d1cdd9c4ea682c38983f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\8DD817~1.DLL

Filesize
1.3MB

MD5
ba2b277400546cbedd21c64db11376cd

SHA1
d51d181b1dd1f4d29d4bc970d9d45df06ae79b97

SHA256
5eb633b131e7bb2face2065f49318890d270fb1fec11060f35f841fa440d0f8f

SHA512
4f6ff3f2e2a2d1fdc3619e59369e36bbbc1a9b3ec413e54b42db3c34e3d56800da5665ecf1dfbf2a58d84481a33770d339e8505e6993cf54b1471adf9a057b69

Download Submit
memory/2664-17-0x00000000003C0000-0x0000000000521000-memory.dmp

Filesize
1.4MB

Download
memory/2664-19-0x00000000003C0000-0x0000000000521000-memory.dmp

Filesize
1.4MB

Download
memory/2664-31-0x00000000003C0000-0x0000000000521000-memory.dmp

Filesize
1.4MB

Download
memory/2664-32-0x00000000003C0000-0x0000000000521000-memory.dmp

Filesize
1.4MB

Download
memory/3000-0-0x0000000002490000-0x000000000257F000-memory.dmp

Filesize
956KB

Download
memory/3000-1-0x0000000002490000-0x000000000257F000-memory.dmp

Filesize
956KB

Download
memory/3000-2-0x0000000002680000-0x0000000002786000-memory.dmp

Filesize
1.0MB

Download
memory/3000-5-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/3000-6-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/3000-18-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/3000-30-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download