danabot | f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 15:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7c085a814f6decb7fac3218e9737435.exe
Size

1.1MB
MD5

b7c085a814f6decb7fac3218e9737435
SHA1

ca62d1a941e91a7a410c780ff7e60dd349ded93a
SHA256

f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7
SHA512

f9a06761608727e043a86520e1395253c7c0bc881efe13427b04cacba10ef7e52c5c38988faad82ba1ba546022a292db1031100fc69a151ab7bf33e4d8f6396a
SSDEEP

24576:YGFY4tXZlXTrSGiLGg1uMs0qssTrNvVQlMofbS1Nq5FRv2nbB:YMdrzig00XPQSofbkuuF

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-7.dat	DanabotLoader2021
behavioral1/memory/1932-9-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-10-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-18-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-19-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-20-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-21-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-22-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-23-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-24-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021
behavioral1/memory/1932-25-0x0000000000470000-0x00000000005CF000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1932	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28
PID 2160 wrote to memory of 1932	2160	b7c085a814f6decb7fac3218e9737435.exe	28

C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe
"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7C085~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP

Filesize
1.3MB

MD5
973e243a21c58d1ce53e81b6cfb13f29

SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6

SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3

SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe

Download Submit
memory/1932-22-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-18-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-25-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-24-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-23-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-9-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-19-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-21-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-10-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-20-0x0000000000470000-0x00000000005CF000-memory.dmp

Filesize
1.4MB

Download
memory/2160-1-0x0000000001EB0000-0x0000000001F9A000-memory.dmp

Filesize
936KB

Download
memory/2160-0-0x0000000001EB0000-0x0000000001F9A000-memory.dmp

Filesize
936KB

Download
memory/2160-2-0x0000000001FA0000-0x000000000209F000-memory.dmp

Filesize
1020KB

Download
memory/2160-6-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2160-5-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download