danabot | 4a05a54dfa70ecd26651badbc03975c7c896e0a2f17acb030acf8d12441276a5

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a049e4d179686744b0e4e6472aadecb8.exe
Size

1.2MB
MD5

a049e4d179686744b0e4e6472aadecb8
SHA1

2aedafb10302fe4121858e8233f826f8260d63ff
SHA256

4a05a54dfa70ecd26651badbc03975c7c896e0a2f17acb030acf8d12441276a5
SHA512

b2420e1cbc41d44fa48142e4a3f5c169c92db19ea5cde723dfbb01f1ff0f16ed0598636176c64298f405fcdbd86bcb9a94f43d135d4e68448a99ce8de62ff6ea
SSDEEP

24576:aifXVeSyIuPNpoRP2BmhqNw1N/HWlRM2g/dI8/nJq1:aeeXPNp22BwoNk2g/dI8R

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\A049E4~1.DLL	DanabotLoader2021
behavioral1/memory/2604-18-0x0000000000A00000-0x0000000000B61000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A049E4~1.DLL	DanabotLoader2021
behavioral1/memory/2604-20-0x0000000000A00000-0x0000000000B61000-memory.dmp	DanabotLoader2021
behavioral1/memory/2604-33-0x0000000000A00000-0x0000000000B61000-memory.dmp	DanabotLoader2021
behavioral1/memory/2604-34-0x0000000000A00000-0x0000000000B61000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2604 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2604 rundll32.exe
2604 rundll32.exe
2604 rundll32.exe
2604 rundll32.exe

flow	pid	process
2	2604	rundll32.exe

pid	process
2604	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a049e4d179686744b0e4e6472aadecb8.exe

description	pid	process	target process
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe
PID 2264 wrote to memory of 2604	2264	a049e4d179686744b0e4e6472aadecb8.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a049e4d179686744b0e4e6472aadecb8.exe
"C:\Users\Admin\AppData\Local\Temp\a049e4d179686744b0e4e6472aadecb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A049E4~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A049E4~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A049E4~1.DLL

Filesize
1.2MB

MD5
96e8dce47032fc831ec2bc70bb33fa6c

SHA1
38d045e3d6eaed948983e5be3b32f48605ac2ff7

SHA256
6b08958d604911d0dd7a4182f50ccb4778c88a6194aa32f37574577951905a94

SHA512
35137be194ce7aeb82272b3c7e90c34a4966cf3a394bf33a4b4dbbe44d4244eea416721302aeee5584bfb61cbd46eb7b96c867b11ad6b7368b5af2262a8cde36

Download Submit
\Users\Admin\AppData\Local\Temp\A049E4~1.DLL

Filesize
1.3MB

MD5
d71ca211aaf73e8390ddbcfdd5ef6a7c

SHA1
c39af2a83b1d91fb14090af99d6695f1ab7c84db

SHA256
7e647a4b7b8a81a461fa2221882a858575642528743954e27960bd4bc4b73fbd

SHA512
822af73d60bc1af4aea0fd4025d4361f6bd5508e971820c5a4037c198e58575601510c9907c7acbc2a786b8cc2dbca697c724e839a914ffbaf637c5fef4638c9

Download Submit
memory/2264-5-0x0000000000400000-0x000000000224D000-memory.dmp

Filesize
30.3MB

Download
memory/2264-0-0x0000000003B30000-0x0000000003C1E000-memory.dmp

Filesize
952KB

Download
memory/2264-6-0x0000000000400000-0x000000000224D000-memory.dmp

Filesize
30.3MB

Download
memory/2264-8-0x0000000003C20000-0x0000000003D26000-memory.dmp

Filesize
1.0MB

Download
memory/2264-1-0x0000000003B30000-0x0000000003C1E000-memory.dmp

Filesize
952KB

Download
memory/2264-2-0x0000000003C20000-0x0000000003D26000-memory.dmp

Filesize
1.0MB

Download
memory/2264-19-0x0000000000400000-0x000000000224D000-memory.dmp

Filesize
30.3MB

Download
memory/2264-31-0x0000000000400000-0x000000000224D000-memory.dmp

Filesize
30.3MB

Download
memory/2604-18-0x0000000000A00000-0x0000000000B61000-memory.dmp

Filesize
1.4MB

Download
memory/2604-20-0x0000000000A00000-0x0000000000B61000-memory.dmp

Filesize
1.4MB

Download
memory/2604-33-0x0000000000A00000-0x0000000000B61000-memory.dmp

Filesize
1.4MB

Download
memory/2604-34-0x0000000000A00000-0x0000000000B61000-memory.dmp

Filesize
1.4MB

Download