danabot | f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7

Analysis

max time kernel
150s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 15:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7c085a814f6decb7fac3218e9737435.exe
Size

1.1MB
MD5

b7c085a814f6decb7fac3218e9737435
SHA1

ca62d1a941e91a7a410c780ff7e60dd349ded93a
SHA256

f63dee9e804b9e07c7d7ec013117124dcc92c89e6c632e973140e39296858da7
SHA512

f9a06761608727e043a86520e1395253c7c0bc881efe13427b04cacba10ef7e52c5c38988faad82ba1ba546022a292db1031100fc69a151ab7bf33e4d8f6396a
SSDEEP

24576:YGFY4tXZlXTrSGiLGg1uMs0qssTrNvVQlMofbS1Nq5FRv2nbB:YMdrzig00XPQSofbkuuF

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023225-6.dat	DanabotLoader2021
behavioral2/memory/2368-10-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-18-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-19-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-20-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-21-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-22-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-23-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-24-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021
behavioral2/memory/2368-25-0x0000000000400000-0x000000000055F000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
64	2368	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3724	700	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 2368	700	b7c085a814f6decb7fac3218e9737435.exe	90
PID 700 wrote to memory of 2368	700	b7c085a814f6decb7fac3218e9737435.exe	90
PID 700 wrote to memory of 2368	700	b7c085a814f6decb7fac3218e9737435.exe	90

C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe
"C:\Users\Admin\AppData\Local\Temp\b7c085a814f6decb7fac3218e9737435.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7C085~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 520
  2⤵
  - Program crash
  PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 700 -ip 700
1⤵
PID:2344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B7C085~1.TMP

Filesize
1.3MB

MD5
973e243a21c58d1ce53e81b6cfb13f29

SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6

SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3

SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe

Download Submit
memory/700-1-0x0000000002250000-0x0000000002344000-memory.dmp

Filesize
976KB

Download
memory/700-2-0x0000000002350000-0x000000000244F000-memory.dmp

Filesize
1020KB

Download
memory/700-3-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/700-8-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/700-9-0x0000000002350000-0x000000000244F000-memory.dmp

Filesize
1020KB

Download
memory/2368-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download