danabot | 967e08d85b9639892fd4bf4ab2d3e6fc7dcd4afe22326e4114df182c8b0a9b5e

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9129525b5a79a06dad5e9c6acfb72b8f.exe
Size

1.1MB
MD5

9129525b5a79a06dad5e9c6acfb72b8f
SHA1

1c69b60f725609b55c4e8b60b1c4cc2afb05fa97
SHA256

967e08d85b9639892fd4bf4ab2d3e6fc7dcd4afe22326e4114df182c8b0a9b5e
SHA512

c69c4c60ec88f1fcda7702be8f565641d3b9ea62d40a933bdf9cc1ad85f708aa89bfa672438d4bc79ff7673a7f6072edff2612e41be8712dbba605156fcff256
SSDEEP

24576:O49I0d14BsA6i8vzE/WaWSlOXeLuvNH7mE+FMgbZ//u+lD8f2bQR1N:OsAsDiCg+WOXpHKFMgbZXukD8fw

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2448 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2448 rundll32.exe

flow	pid	process
2	2448	rundll32.exe

pid	process
2448	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9129525b5a79a06dad5e9c6acfb72b8f.exe

description	pid	process	target process
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe
PID 2512 wrote to memory of 2448	2512	9129525b5a79a06dad5e9c6acfb72b8f.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9129525b5a79a06dad5e9c6acfb72b8f.exe
"C:\Users\Admin\AppData\Local\Temp\9129525b5a79a06dad5e9c6acfb72b8f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\912952~1.TMP,S C:\Users\Admin\AppData\Local\Temp\912952~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\912952~1.TMP
Filesize
1.3MB

MD5
fc55d7afa5ad97587a0d02965e69501b

SHA1
e485195a77d6ac84189da82c088698e3118d01bb

SHA256
dbf7ee1c646a64f9b4aea4b4180b15a91fa4e31b7e35bb2ed2a3e65301db98d6

SHA512
e03bb1a1c018811a5f4f93f5206a25c2de8b9de8763b2847e07770cc7fc763300662e5e642706e90ccae6a8ea4ea17ad9ebd8392ee95b5946397605389d5f303

Download Submit
memory/2448-22-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-10-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-26-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-25-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-19-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-24-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-23-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-11-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-21-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2448-20-0x0000000000A10000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/2512-7-0x0000000000400000-0x00000000014F1000-memory.dmp

Filesize
16.9MB

Download
memory/2512-0-0x00000000002A0000-0x0000000000388000-memory.dmp

Filesize
928KB

Download
memory/2512-1-0x00000000002A0000-0x0000000000388000-memory.dmp

Filesize
928KB

Download
memory/2512-8-0x0000000002E40000-0x0000000002F3E000-memory.dmp

Filesize
1016KB

Download
memory/2512-5-0x0000000000400000-0x00000000014F1000-memory.dmp

Filesize
16.9MB

Download
memory/2512-2-0x0000000002E40000-0x0000000002F3E000-memory.dmp

Filesize
1016KB

Download