danabot | b48cf1854b8ff73a0bb9d4e54b5811ea3ac7a5d3e0c6c57f8825a4de396f36cc

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 08:16

Target

a8aba262bcadfe4fb63930d4d9533fc2.exe
Size

1.2MB
MD5

a8aba262bcadfe4fb63930d4d9533fc2
SHA1

2c5e2d715f6c19de2a4ec38da5c6c98536171c02
SHA256

b48cf1854b8ff73a0bb9d4e54b5811ea3ac7a5d3e0c6c57f8825a4de396f36cc
SHA512

f5dfaf99040f9b9a89890e90d0576a1d842745478ca902af4f8953330940f84314d0bff58d6e218a40841a73ee1ed0a01d2aba228085c7193ef2920cb8de0389
SSDEEP

24576:XIojPlC7PV2kKjW7zeYPmf1Bpw0BL3rd+2wl4W/Vpnr8dvWoNU:XTY7tDeNBpZBL36l4W/f81

Score

10^/10

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.TMP	DanabotLoader2021
behavioral1/memory/2820-9-0x0000000000A40000-0x0000000000B9E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2820-10-0x0000000000A40000-0x0000000000B9E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2820-19-0x0000000000A40000-0x0000000000B9E000-memory.dmp	DanabotLoader2021
behavioral1/memory/2820-20-0x0000000000A40000-0x0000000000B9E000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 2820 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2820 rundll32.exe

flow	pid	process
2	2820	rundll32.exe

pid	process
2820	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a8aba262bcadfe4fb63930d4d9533fc2.exe

description	pid	process	target process
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe
PID 2488 wrote to memory of 2820	2488	a8aba262bcadfe4fb63930d4d9533fc2.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a8aba262bcadfe4fb63930d4d9533fc2.exe
"C:\Users\Admin\AppData\Local\Temp\a8aba262bcadfe4fb63930d4d9533fc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.TMP
Filesize
1.3MB

MD5
1c78e599c4cd81a8d24b261d3bcf4edb

SHA1
5b57d44ca8a87d2f00dd1425854b9dce5b1359ed

SHA256
b07c448bfca39a69d5f715d7a780a6524365040b1ccb048ed643ee3f0ab605ff

SHA512
83a0a69f297c0774da9257e25f19b318b1b66b0769dd6852ad61874bc75bf8058b6ac2478564e6aca891b9ec811ed17186f05eea94083f14fa4c0acc0946d8e2

Download Submit
memory/2488-0-0x0000000003330000-0x000000000341A000-memory.dmp

Filesize
936KB

Download
memory/2488-1-0x0000000003330000-0x000000000341A000-memory.dmp

Filesize
936KB

Download
memory/2488-2-0x0000000004C60000-0x0000000004D5F000-memory.dmp

Filesize
1020KB

Download
memory/2488-7-0x0000000000400000-0x0000000003327000-memory.dmp

Filesize
47.2MB

Download
memory/2488-5-0x0000000000400000-0x0000000003327000-memory.dmp

Filesize
47.2MB

Download
memory/2488-12-0x0000000000400000-0x0000000003327000-memory.dmp

Filesize
47.2MB

Download
memory/2820-9-0x0000000000A40000-0x0000000000B9E000-memory.dmp

Filesize
1.4MB

Download
memory/2820-10-0x0000000000A40000-0x0000000000B9E000-memory.dmp

Filesize
1.4MB

Download
memory/2820-19-0x0000000000A40000-0x0000000000B9E000-memory.dmp

Filesize
1.4MB

Download
memory/2820-20-0x0000000000A40000-0x0000000000B9E000-memory.dmp

Filesize
1.4MB

Download