danabot | 4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c

General

Target

998930cd0a9d89d4d7ed82132271bf61.exe
Size

1.1MB
MD5

998930cd0a9d89d4d7ed82132271bf61
SHA1

25bfd30344c52bbe22aa9051cfa05384e290180d
SHA256

4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c
SHA512

1830f2b4919ce2901d285cec70f89c419e8dd97c6d3425b13926f4f32b371cf28c34d57457bc7eee6df04b1a8e21903fc384a48fd6fec7ec0178d5cc06eb1a64
SSDEEP

24576:qzKSkRPg8PeU3aYN0yCP9R5SDGJMm4zrYo3O4nwuMuK1LIU4u:4KRPZPeU3wtyGJMpK4wNN1LIU

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

152.89.247.31:443

192.210.222.81:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\998930~1.TMP	DanabotLoader2021
behavioral1/memory/1848-8-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-12-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-20-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-21-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-22-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-23-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-24-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-25-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-26-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1848-27-0x00000000020A0000-0x00000000021FF000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1848 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1848 rundll32.exe

flow	pid	process
2	1848	rundll32.exe

pid	process
1848	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

998930cd0a9d89d4d7ed82132271bf61.exe

description	pid	process	target process
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 2196 wrote to memory of 1848	2196	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\998930cd0a9d89d4d7ed82132271bf61.exe
"C:\Users\Admin\AppData\Local\Temp\998930cd0a9d89d4d7ed82132271bf61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\998930~1.TMP,S C:\Users\Admin\AppData\Local\Temp\998930~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\998930~1.TMP

Filesize
1.3MB

MD5
e20a7327c72b4308abce23615a2be27f

SHA1
908a67e336e15d2a68b103e2a082e1146afd8e66

SHA256
65d5a44abe0c1b36c1cb6b5cca7cf3d0fde1e70e10aa0e78719602b7b1cc9c2a

SHA512
e6b729270b6e4e4ec34fe242eff8f360d4892ed020c4923ab6d444355b0ab2cca760049074ba912f970c393c2ddd5bd29fcf64b7cbce1b29c2b7337f08ae46d9

Download Submit
memory/1848-22-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-23-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-12-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-8-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-20-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-27-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-26-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-21-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-25-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/1848-24-0x00000000020A0000-0x00000000021FF000-memory.dmp

Filesize
1.4MB

Download
memory/2196-10-0x0000000000400000-0x0000000002DA0000-memory.dmp

Filesize
41.6MB

Download
memory/2196-0-0x0000000004570000-0x000000000465B000-memory.dmp

Filesize
940KB

Download
memory/2196-9-0x0000000004660000-0x0000000004760000-memory.dmp

Filesize
1024KB

Download
memory/2196-5-0x0000000000400000-0x0000000002DA0000-memory.dmp

Filesize
41.6MB

Download
memory/2196-1-0x0000000004570000-0x000000000465B000-memory.dmp

Filesize
940KB

Download
memory/2196-11-0x0000000004570000-0x000000000465B000-memory.dmp

Filesize
940KB

Download
memory/2196-2-0x0000000004660000-0x0000000004760000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing