Overview

overview

10

Static

static

3

ab4cf6181c...29.exe

windows7-x64

10

ab4cf6181c...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab4cf6181cfb102ec86c66d56af2d229.exe

  • Size

    1.1MB

  • MD5

    ab4cf6181cfb102ec86c66d56af2d229

  • SHA1

    ac756cbff2887e804e9957898b0d6450a33a0aa1

  • SHA256

    f7c566ca7413a1259a7bcc120bc431a5ad129438b1e8b9b51c398d5eecfc51a5

  • SHA512

    dec2910e395b1714966c85741f1062f6a4b62a9a1ab3f8f92c573a2b44a49ced2a963f383247b871eb90ec7cc795a4226dc0944b8bce3e74bb3f5bd2024b0a2f

  • SSDEEP

    24576:RtrUusPn8AAsDdRY+KBXRLR6YD1kl6YfaWAy0BPA:RtvsP9JRY+KBB96YKIsFn0BI

Score
10/10
danabot4bankertrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443
Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe
    "C:\Users\Admin\AppData\Local\Temp\ab4cf6181cfb102ec86c66d56af2d229.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP,S C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1580
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 444
      2⤵
      • Program crash
      PID:3384
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2980 -ip 2980
    1⤵
      PID:1848

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AB4CF6~1.TMP
      Filesize

      1.3MB

      MD5

      279fd5be1ef6f78dceaea9160797d3ca

      SHA1

      02d83bb9752b2f9cb205fbba5ef084069204ce5c

      SHA256

      79e7f889f4d8c8475bef4a94124ffcdc68d1b2f8b632a6f3539179945f481477

      SHA512

      9459221ca625f4969ca4dbf68c9765f01b71d36b90cb5c0cee863e764da6c2fd2317581bdfdbfb0440133ed3435b90516ea36e06b20efd1267ca22bfe34bb216

      Download Submit

    • memory/1580-10-0x0000000000400000-0x000000000055D000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1580-18-0x0000000000400000-0x000000000055D000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1580-19-0x0000000000400000-0x000000000055D000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2980-1-0x0000000002750000-0x0000000002841000-memory.dmp

      Filesize

      964KB

      Download

    • memory/2980-2-0x0000000002850000-0x000000000294E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/2980-3-0x0000000000400000-0x0000000000982000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2980-8-0x0000000000400000-0x0000000000982000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2980-9-0x0000000002850000-0x000000000294E000-memory.dmp

      Filesize

      1016KB

      Download