danabot | fe7ce2b5ac19e2fc93436e1eddab8bc79043c518078559b8f9a2984a601b36cd

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914572ae32ea3b7fda9860a619373534.exe
Size

1.1MB
MD5

914572ae32ea3b7fda9860a619373534
SHA1

afcd7d7280d9a19e69c056f8699283b4b92e435d
SHA256

fe7ce2b5ac19e2fc93436e1eddab8bc79043c518078559b8f9a2984a601b36cd
SHA512

b732d245509d13d98b23fd0b21878a03a0451db10f22334c2f8fd16f930ed961ae6ae1947a327001d3b4b76cf092a5fb9702df1f596452c9d3affd594d5577d7
SSDEEP

24576:Fmi/0mAnPFpGJD02Ev/J9IMYRys50FCs5p1ISI:96PFpKDKXJeks50FCstIl

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\914572~1.TMP	DanabotLoader2021
behavioral2/memory/408-11-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-19-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-20-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-21-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-22-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-23-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-24-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-25-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021
behavioral2/memory/408-26-0x0000000000400000-0x000000000055E000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

38 408 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

408 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1468 2340 WerFault.exe 914572ae32ea3b7fda9860a619373534.exe

flow	pid	process
38	408	rundll32.exe

pid	process
408	rundll32.exe

pid	pid_target	process	target process
1468	2340	WerFault.exe	914572ae32ea3b7fda9860a619373534.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

914572ae32ea3b7fda9860a619373534.exe

description	pid	process	target process
PID 2340 wrote to memory of 408	2340	914572ae32ea3b7fda9860a619373534.exe	rundll32.exe
PID 2340 wrote to memory of 408	2340	914572ae32ea3b7fda9860a619373534.exe	rundll32.exe
PID 2340 wrote to memory of 408	2340	914572ae32ea3b7fda9860a619373534.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\914572ae32ea3b7fda9860a619373534.exe
"C:\Users\Admin\AppData\Local\Temp\914572ae32ea3b7fda9860a619373534.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\914572~1.TMP,S C:\Users\Admin\AppData\Local\Temp\914572~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 516
2⤵
- Program crash
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2340 -ip 2340
1⤵
PID:4360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\914572~1.TMP
Filesize
1.3MB

MD5
00ad9c8b149b8e232e36c5823d73dcb4

SHA1
c8e1a519720ab5acb40766a0f985448e83a5a241

SHA256
23c285510f0c90b0905e5b48efff7bfa34697cca098296e68d16aa391e0d42c7

SHA512
472c1c518221d730a9206b02028fe4f191de4c3cc0003b624ea70795ec2292f8c7522442f8ea4d81a4c0667dc1b7087e463e8abd6d35465ae456d66f4c2d09a4

Download Submit
memory/408-11-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-23-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-26-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-25-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-24-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-22-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-19-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-20-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/408-21-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2340-1-0x0000000004AB0000-0x0000000004B9D000-memory.dmp

Filesize
948KB

Download
memory/2340-5-0x0000000000400000-0x0000000002D4E000-memory.dmp

Filesize
41.3MB

Download
memory/2340-10-0x0000000004BB0000-0x0000000004CB0000-memory.dmp

Filesize
1024KB

Download
memory/2340-8-0x0000000000400000-0x0000000002D4E000-memory.dmp

Filesize
41.3MB

Download
memory/2340-2-0x0000000004BB0000-0x0000000004CB0000-memory.dmp

Filesize
1024KB

Download