danabot | d5b505a65a96a2c1fb96a92e19e6e34101f958b37d28bc3042f163f7b0664237 | Triage

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 08:50

Sharing

Report Analysis Logs

General

Target

9ff3878d883583356feb7b280a081c43.dll
Size

1.3MB
MD5

9ff3878d883583356feb7b280a081c43
SHA1

ccd401e219d92121ca57f97c39425816953cfff8
SHA256

d5b505a65a96a2c1fb96a92e19e6e34101f958b37d28bc3042f163f7b0664237
SHA512

f1d65c095651e6caf85584bb51f9822e9898498667050d95d862c2888acfaa5eae2f20e8f6107c15d27e74cd726d2ca197f492c2f14ce109fb9eb1cda5eb3a4d
SSDEEP

24576:HIhaxE+RNNpL5+pcy7ikMDlQMYkKgVfC2LaqTCvYuGP:omC2hD1kZqTo4P

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1728 rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 1728	2296	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ff3878d883583356feb7b280a081c43.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ff3878d883583356feb7b280a081c43.dll,#1
2⤵
- Blocklisted process makes network request
PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x0000000002120000-0x000000000227C000-memory.dmp

Filesize
1.4MB

Download
memory/1728-1-0x0000000002120000-0x000000000227C000-memory.dmp

Filesize
1.4MB

Download