danabot | 3dbbf4a443427bd73efeed8ddd467c02f7d8a30b10f944f11e0ffe43e5783d53

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd817cc7742d1cdd9c4ea682c38983f.exe
Size

1.1MB
MD5

8dd817cc7742d1cdd9c4ea682c38983f
SHA1

aec12b0211a94b4faf7cc674b393cd25cd5167aa
SHA256

3dbbf4a443427bd73efeed8ddd467c02f7d8a30b10f944f11e0ffe43e5783d53
SHA512

8159b623e509c1061a8f4885911e74b0d3c13948306b9ea551ad4b2cd3f222ef8f5943860c1b7d6c12a44b0da5f36c5987f63138e986a2e4d197e4016b6c5088
SSDEEP

24576:eVgGBOf0ajwXSZ60b38/Bv/neCpCgi7aMJnOB1z0oT:efajww67Bv/eNvpOr0oT

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8DD817~1.EXE.dll	DanabotLoader2021
behavioral2/memory/3964-17-0x0000000002220000-0x0000000002381000-memory.dmp	DanabotLoader2021
behavioral2/memory/3964-19-0x0000000002220000-0x0000000002381000-memory.dmp	DanabotLoader2021
behavioral2/memory/3964-31-0x0000000002220000-0x0000000002381000-memory.dmp	DanabotLoader2021
behavioral2/memory/3964-33-0x0000000002220000-0x0000000002381000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

39 3964 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3964 rundll32.exe
3964 rundll32.exe

flow	pid	process
39	3964	rundll32.exe

pid	process
3964	rundll32.exe
3964	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8dd817cc7742d1cdd9c4ea682c38983f.exe

description	pid	process	target process
PID 5008 wrote to memory of 3964	5008	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 5008 wrote to memory of 3964	5008	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe
PID 5008 wrote to memory of 3964	5008	8dd817cc7742d1cdd9c4ea682c38983f.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8dd817cc7742d1cdd9c4ea682c38983f.exe
"C:\Users\Admin\AppData\Local\Temp\8dd817cc7742d1cdd9c4ea682c38983f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8DD817~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8DD817~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8DD817~1.EXE.dll
Filesize
1.3MB

MD5
623a18925a748d925d9ac087ea4bf711

SHA1
057b1199239658a20f19482ee00e5133f9a8328c

SHA256
08f00826231d926b79547bd244a82ba1dd4a891c79a5bf3ed529cb095eec0936

SHA512
0a14ffe8a7be5bf1099fb455c6cd37cf08598faabdf298e7554d3825a4030bcb3d682af57a41a3c63b97a9ddd25e9f08a76f7a07aee138b8d151fe1844db8642

Download Submit
memory/3964-19-0x0000000002220000-0x0000000002381000-memory.dmp

Filesize
1.4MB

Download
memory/3964-17-0x0000000002220000-0x0000000002381000-memory.dmp

Filesize
1.4MB

Download
memory/3964-31-0x0000000002220000-0x0000000002381000-memory.dmp

Filesize
1.4MB

Download
memory/3964-33-0x0000000002220000-0x0000000002381000-memory.dmp

Filesize
1.4MB

Download
memory/5008-5-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/5008-6-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/5008-8-0x0000000002640000-0x000000000273B000-memory.dmp

Filesize
1004KB

Download
memory/5008-9-0x0000000002840000-0x0000000002946000-memory.dmp

Filesize
1.0MB

Download
memory/5008-2-0x0000000002840000-0x0000000002946000-memory.dmp

Filesize
1.0MB

Download
memory/5008-18-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/5008-1-0x0000000002640000-0x000000000273B000-memory.dmp

Filesize
1004KB

Download
memory/5008-30-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download
memory/5008-32-0x0000000000400000-0x000000000248B000-memory.dmp

Filesize
32.5MB

Download