danabot | 08dcec9e59f25bb87556ea5acb6c778d88f5bf14d4a130758543f85923e646a0

General

Target

a566e990569d33f61fcd5712953e46b7.exe
Size

1.1MB
MD5

a566e990569d33f61fcd5712953e46b7
SHA1

8ec5c1c91ffddd646515e1cf8ae1be49309f5d4b
SHA256

08dcec9e59f25bb87556ea5acb6c778d88f5bf14d4a130758543f85923e646a0
SHA512

3fd93dd14e6d92da6b5f300be484d5da81871ec4c653de66e3a3eab1672b6d79d94da1f90796156d3324942c9d81599e8d538f72be7127a386e310ccf87d8d3d
SSDEEP

24576:DJSnT43vt7dgVL2TE+ZgsPsu1MtxVvt/eXGigJ8YL:kT4fgmEyKu1ml/6KJ8YL

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A566E9~1.TMP	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A566E9~1.TMP	DanabotLoader2021
behavioral1/memory/2228-9-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-11-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-19-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-20-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-21-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-22-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-23-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-24-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-25-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021
behavioral1/memory/2228-26-0x00000000008F0000-0x0000000000A4C000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2228 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2228 rundll32.exe

flow	pid	process
2	2228	rundll32.exe

pid	process
2228	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a566e990569d33f61fcd5712953e46b7.exe

description	pid	process	target process
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe
PID 2220 wrote to memory of 2228	2220	a566e990569d33f61fcd5712953e46b7.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a566e990569d33f61fcd5712953e46b7.exe
"C:\Users\Admin\AppData\Local\Temp\a566e990569d33f61fcd5712953e46b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A566E9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\A566E9~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A566E9~1.TMP

Filesize
45KB

MD5
05abc8eaf9809c19873bd13a776d9d26

SHA1
53d82c2cce7b3b9fec9349d3e17dc5035c0d7d22

SHA256
6a7403ff32a3afb7a8f946442f7bec5c569cfa78f1575654614963d59c78e506

SHA512
fd4f138e383322689bc905f419f01841babc95a0b4547fc7a78f70394549c2cfd8b169ecedf5598ee96a5dfad32d634c44bd82d5b8b5111ff30c46a5012c87c7

Download Submit
\Users\Admin\AppData\Local\Temp\A566E9~1.TMP

Filesize
720KB

MD5
98a412bc25ff97687d6cc45e958f8d32

SHA1
751322f7294d64388fa53caaf276c17c389704a6

SHA256
ae60ac2e5cf1ee4480bf4d4efdb69b40d99c41a53969a9580137f21d6eea87de

SHA512
70e427c39e1195e653eb38c17b8b950909ae435e9d498656763bfa2a98777b95e4541552066831ab72c46aa2eaf76088193f6dee69e69b167572563e1fde6b33

Download Submit
memory/2220-10-0x00000000045E0000-0x00000000046DE000-memory.dmp

Filesize
1016KB

Download
memory/2220-0-0x0000000002DC0000-0x0000000002EA8000-memory.dmp

Filesize
928KB

Download
memory/2220-7-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2220-5-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/2220-1-0x0000000002DC0000-0x0000000002EA8000-memory.dmp

Filesize
928KB

Download
memory/2220-2-0x00000000045E0000-0x00000000046DE000-memory.dmp

Filesize
1016KB

Download
memory/2228-11-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-9-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-19-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-20-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-21-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-22-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-23-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-24-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-25-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download
memory/2228-26-0x00000000008F0000-0x0000000000A4C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing