danabot | 686ae3c38a2f42c883eb8aa7b51dc99fb371b94a7bb7701737c9025231e1d503

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97c6fcd944c08c8e704360bbc7942c93.exe
Size

1.1MB
MD5

97c6fcd944c08c8e704360bbc7942c93
SHA1

ca9485348c17a422c175759c640999246aa2548d
SHA256

686ae3c38a2f42c883eb8aa7b51dc99fb371b94a7bb7701737c9025231e1d503
SHA512

5d8e565c4f0127cfda0878aa1c1b6327df3a359ce38c7c632561258cd2bef22103ddb204270bd29c1cffbd3d7ba31cd97e91abf502b32a27887d80273da6c629
SSDEEP

24576:NcUMZzHq9a2jUWAs85Z6ovaPg62NKKGPbgyVx7WxS25C0jN:UzK9Rcs8k/8KDTgyVVWxS251N

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e596-6.dat	DanabotLoader2021
behavioral2/memory/4236-10-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-18-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-19-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-20-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-21-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-22-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-23-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-24-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/4236-25-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	4236	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4236	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	2216	WerFault.exe	53

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4236	2216	97c6fcd944c08c8e704360bbc7942c93.exe	86
PID 2216 wrote to memory of 4236	2216	97c6fcd944c08c8e704360bbc7942c93.exe	86
PID 2216 wrote to memory of 4236	2216	97c6fcd944c08c8e704360bbc7942c93.exe	86

C:\Users\Admin\AppData\Local\Temp\97c6fcd944c08c8e704360bbc7942c93.exe
"C:\Users\Admin\AppData\Local\Temp\97c6fcd944c08c8e704360bbc7942c93.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\97C6FC~1.TMP,S C:\Users\Admin\AppData\Local\Temp\97C6FC~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 500
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2216 -ip 2216
1⤵
PID:324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\97C6FC~1.TMP

Filesize
1.3MB

MD5
973e243a21c58d1ce53e81b6cfb13f29

SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6

SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3

SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe

Download Submit
memory/2216-1-0x0000000002210000-0x0000000002308000-memory.dmp

Filesize
992KB

Download
memory/2216-2-0x0000000002310000-0x000000000240F000-memory.dmp

Filesize
1020KB

Download
memory/2216-3-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2216-8-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2216-9-0x0000000002310000-0x000000000240F000-memory.dmp

Filesize
1020KB

Download
memory/4236-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4236-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download