danabot | ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150

General

Target

90a89fc585f1c79b2629c9dd8520ddb9.exe
Size

1.1MB
MD5

90a89fc585f1c79b2629c9dd8520ddb9
SHA1

5e6205f57a65fed48134a9fb1de4277e63d4bcf3
SHA256

ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150
SHA512

b30229d0c8499e0a5914da28522870bf1c42dbe98dd31c32bcda0fe1d562226f0c37e54b1b5ca539fd9978c3dbb3c8dcd8473337c3ae088fce05173c9b3ba45d
SSDEEP

24576:ZhzaKR5eJP1CM3jE4Rq8umW7DCk9n/C9m+t9eAU6:6KyJNXE4Y86CkdCI+tgAU6

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\90A89F~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL	DanabotLoader2021
behavioral1/memory/2464-19-0x0000000000AB0000-0x0000000000C12000-memory.dmp	DanabotLoader2021
behavioral1/memory/2464-21-0x0000000000AB0000-0x0000000000C12000-memory.dmp	DanabotLoader2021
behavioral1/memory/2464-33-0x0000000000AB0000-0x0000000000C12000-memory.dmp	DanabotLoader2021
behavioral1/memory/2464-34-0x0000000000AB0000-0x0000000000C12000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2464 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2464 rundll32.exe
2464 rundll32.exe
2464 rundll32.exe
2464 rundll32.exe

flow	pid	process
2	2464	rundll32.exe

pid	process
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

90a89fc585f1c79b2629c9dd8520ddb9.exe

description	pid	process	target process
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 2240 wrote to memory of 2464	2240	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\90a89fc585f1c79b2629c9dd8520ddb9.exe
"C:\Users\Admin\AppData\Local\Temp\90a89fc585f1c79b2629c9dd8520ddb9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\90A89F~1.DLL,s C:\Users\Admin\AppData\Local\Temp\90A89F~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90A89F~1.DLL

Filesize
1.3MB

MD5
a5a1c66de52785a893b83f062145ccb5

SHA1
9b372f6c69987d527e2579abaf462a6d02f529b0

SHA256
1f3091c90206bb6d0e4d67cab10d01bd32cc55a1d8a6d850039761705e9994cc

SHA512
11dbf787990a83caa075b0b090b4c3236c7e5c949df4c98a4be3f53f7b9ae9d8da8afcb63b5a726e07f66c79d7e43355727001b49132c9d6d5b688dc304c89b6

Download Submit
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL

Filesize
1.3MB

MD5
2f3e96bea228be7d71f503678aca53c2

SHA1
841776664d18fad05197cdc7bca6adebc45bb241

SHA256
0e43a642715231321e8135430eb5a394863d51be9b998249f10b4e8cc2537e65

SHA512
974565d5548563d9e52523800235a9dee41d805378e14d9f3caeb96a97a429ea7fb62bbf478a7a40c3d53cb949a1b25e5a7ca57f805bfc0beb9d34d675303658

Download Submit
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL

Filesize
1.0MB

MD5
7a140bf8a48a09a46679650f477df3ba

SHA1
44dd2cc9db2c6c69ddb977c13dfa2c389df79729

SHA256
eb681c591a963473058a964e6400a2329b731edd290a299d3ade765b60eb5acb

SHA512
ab1ac8ba38fd71ebe9d47c7ebc07678d47f01583406b76985daf8b612fd8252f89706c63f987155f269a4b640a7899b06b72ca79fd1ce7e0b6503b8e2f8cd44d

Download Submit
\Users\Admin\AppData\Local\Temp\90A89F~1.DLL

Filesize
1017KB

MD5
78a093336f975cb32ecf46a084c23d9d

SHA1
7f596115405b2ba708eff7f2af57746589e3310d

SHA256
3a26bd77764adb87b47a81be88606ac3fa576f512f0bce58f08e05c05acd1a9d

SHA512
5f3cc062fc547867787cb51f88e9f69398a260459a8baf2c81c64f3bc8ee43f5dd3240d9fa1820954ab9d0983a720eba63f90d99cb2d95c14dcaf0679fd544cf

Download Submit
memory/2240-6-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/2240-7-0x0000000002DB0000-0x0000000002E9F000-memory.dmp

Filesize
956KB

Download
memory/2240-9-0x0000000002FA0000-0x00000000030A6000-memory.dmp

Filesize
1.0MB

Download
memory/2240-0-0x0000000002DB0000-0x0000000002E9F000-memory.dmp

Filesize
956KB

Download
memory/2240-5-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/2240-1-0x0000000002DB0000-0x0000000002E9F000-memory.dmp

Filesize
956KB

Download
memory/2240-2-0x0000000002FA0000-0x00000000030A6000-memory.dmp

Filesize
1.0MB

Download
memory/2240-20-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/2240-32-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/2464-19-0x0000000000AB0000-0x0000000000C12000-memory.dmp

Filesize
1.4MB

Download
memory/2464-21-0x0000000000AB0000-0x0000000000C12000-memory.dmp

Filesize
1.4MB

Download
memory/2464-33-0x0000000000AB0000-0x0000000000C12000-memory.dmp

Filesize
1.4MB

Download
memory/2464-34-0x0000000000AB0000-0x0000000000C12000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing