danabot | 4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c

General

Target

998930cd0a9d89d4d7ed82132271bf61.exe
Size

1.1MB
MD5

998930cd0a9d89d4d7ed82132271bf61
SHA1

25bfd30344c52bbe22aa9051cfa05384e290180d
SHA256

4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c
SHA512

1830f2b4919ce2901d285cec70f89c419e8dd97c6d3425b13926f4f32b371cf28c34d57457bc7eee6df04b1a8e21903fc384a48fd6fec7ec0178d5cc06eb1a64
SSDEEP

24576:qzKSkRPg8PeU3aYN0yCP9R5SDGJMm4zrYo3O4nwuMuK1LIU4u:4KRPZPeU3wtyGJMpK4wNN1LIU

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

152.89.247.31:443

192.210.222.81:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\998930~1.TMP	DanabotLoader2021
behavioral2/memory/2592-9-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\998930~1.EXE.tmp	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\998930~1.EXE.tmp	DanabotLoader2021
behavioral2/memory/2592-13-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-21-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-22-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-23-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-24-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-25-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-26-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021
behavioral2/memory/2592-27-0x0000000002370000-0x00000000024CF000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

50 2592 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2592 rundll32.exe
2592 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1452 1332 WerFault.exe 998930cd0a9d89d4d7ed82132271bf61.exe

flow	pid	process
50	2592	rundll32.exe

pid	process
2592	rundll32.exe
2592	rundll32.exe

pid	pid_target	process	target process
1452	1332	WerFault.exe	998930cd0a9d89d4d7ed82132271bf61.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

998930cd0a9d89d4d7ed82132271bf61.exe

description	pid	process	target process
PID 1332 wrote to memory of 2592	1332	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 1332 wrote to memory of 2592	1332	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe
PID 1332 wrote to memory of 2592	1332	998930cd0a9d89d4d7ed82132271bf61.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\998930cd0a9d89d4d7ed82132271bf61.exe
"C:\Users\Admin\AppData\Local\Temp\998930cd0a9d89d4d7ed82132271bf61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\998930~1.TMP,S C:\Users\Admin\AppData\Local\Temp\998930~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 536
2⤵
- Program crash
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1332 -ip 1332
1⤵
PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\998930~1.EXE.tmp

Filesize
161KB

MD5
829926667d73274ff9e9a2a368823f28

SHA1
156bf811032803846a1478f1ce61f9c86b327065

SHA256
2155d0d0a6f4c43142ad342ea2959ab068ece50a27bc4712146348d78d1bf7aa

SHA512
08f3e9f30b3b8657bedd60774e5d171ae78711d08159f2324cfa787e0c55c0d576015246fecbae70f3ba92d1a87b2a93ba09c7db8458d37d8edf40a85abe8576

Download Submit
C:\Users\Admin\AppData\Local\Temp\998930~1.EXE.tmp

Filesize
302KB

MD5
5bed510e1d8c9d84ff7ab97b11beeda5

SHA1
ca231b1449448c50309dea143827ce34a3c81476

SHA256
b3f537dd28a5bd596947f1d9f8a1b45eccec1ad693afc08878560fac0a602d72

SHA512
7f3a69f2e488bcac86d305eb2a9ed208e95c7b9f19e2edde87276bb8458d182e2d10156a00c739774c371ef408151a6060cda724edb78da11ed8ffeed85ab90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\998930~1.TMP

Filesize
295KB

MD5
a827aef715293c0190b4f061249b73aa

SHA1
6e35a7716c0a25bf4f08194f88011d37e897335c

SHA256
546a86fb778c79c75dea4fa02eefe49827a950d8020f165e7be201b876f5e00a

SHA512
1c59feaccd20bbe1b0c9153ced7cc75907c044e801add6d6d79f5d9688a5fb62244b3f0b77d2b5ba5834f22c1cae1136624d940107e61b5ef59c765c117b1cc4

Download Submit
memory/1332-12-0x0000000004C60000-0x0000000004D60000-memory.dmp

Filesize
1024KB

Download
memory/1332-2-0x0000000004C60000-0x0000000004D60000-memory.dmp

Filesize
1024KB

Download
memory/1332-3-0x0000000000400000-0x0000000002DA0000-memory.dmp

Filesize
41.6MB

Download
memory/1332-1-0x0000000004AF0000-0x0000000004BDC000-memory.dmp

Filesize
944KB

Download
memory/1332-10-0x0000000000400000-0x0000000002DA0000-memory.dmp

Filesize
41.6MB

Download
memory/2592-9-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-13-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-21-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-22-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-23-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-24-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-25-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-26-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-27-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download
memory/2592-28-0x0000000002370000-0x00000000024CF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing