danabot | ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 01:19

Target

90a89fc585f1c79b2629c9dd8520ddb9.exe
Size

1.1MB
MD5

90a89fc585f1c79b2629c9dd8520ddb9
SHA1

5e6205f57a65fed48134a9fb1de4277e63d4bcf3
SHA256

ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150
SHA512

b30229d0c8499e0a5914da28522870bf1c42dbe98dd31c32bcda0fe1d562226f0c37e54b1b5ca539fd9978c3dbb3c8dcd8473337c3ae088fce05173c9b3ba45d
SSDEEP

24576:ZhzaKR5eJP1CM3jE4Rq8umW7DCk9n/C9m+t9eAU6:6KyJNXE4Y86CkdCI+tgAU6

Score

10^/10

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\90A89F~1.DLL	DanabotLoader2021
behavioral2/memory/3128-17-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3128-30-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021
behavioral2/memory/3128-31-0x0000000000400000-0x0000000000562000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

48 3128 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3128 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 3268 WerFault.exe 90a89fc585f1c79b2629c9dd8520ddb9.exe

flow	pid	process
48	3128	rundll32.exe

pid	process
3128	rundll32.exe

pid	pid_target	process	target process
1628	3268	WerFault.exe	90a89fc585f1c79b2629c9dd8520ddb9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90a89fc585f1c79b2629c9dd8520ddb9.exe

description	pid	process	target process
PID 3268 wrote to memory of 3128	3268	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 3268 wrote to memory of 3128	3268	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe
PID 3268 wrote to memory of 3128	3268	90a89fc585f1c79b2629c9dd8520ddb9.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\90a89fc585f1c79b2629c9dd8520ddb9.exe
"C:\Users\Admin\AppData\Local\Temp\90a89fc585f1c79b2629c9dd8520ddb9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 508
2⤵
- Program crash
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3268 -ip 3268
1⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\90A89F~1.DLL
Filesize
1.3MB

MD5
8bb3c63306951051956ee2e131794114

SHA1
ccc4e7bb6b6acc1beafe482b750db64602bb4320

SHA256
9c1ae3bb1ae39b1760311947c5c386a8e423a8775a3856784a60906f6c7b8f7b

SHA512
a555391d5ff08055f604d86d93a6b30cc39b6d7ee41dfcb10ccc675fd4f8612af16c9ef2c17c56d4cab9e412b7d68723f95994a5cca7b4a1e1e97bbef459268f

Download Submit
memory/3128-17-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3128-30-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3128-31-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/3268-2-0x0000000004C90000-0x0000000004D96000-memory.dmp

Filesize
1.0MB

Download
memory/3268-1-0x0000000004B90000-0x0000000004C87000-memory.dmp

Filesize
988KB

Download
memory/3268-5-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/3268-6-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/3268-7-0x0000000004B90000-0x0000000004C87000-memory.dmp

Filesize
988KB

Download
memory/3268-9-0x0000000004C90000-0x0000000004D96000-memory.dmp

Filesize
1.0MB

Download
memory/3268-16-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download
memory/3268-29-0x0000000000400000-0x0000000002DA2000-memory.dmp

Filesize
41.6MB

Download