danabot | 90d3303cc9628d39013556750168afdcb0d3196d95ae004fd5a9642238636875

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll
Size

1.3MB
MD5

fef6b272e83c2db9338ad55ffb6e8f6e
SHA1

90c912ce3613ebcc0ecad406bf1c86fdc58162a8
SHA256

90d3303cc9628d39013556750168afdcb0d3196d95ae004fd5a9642238636875
SHA512

4b7d93dd2e9458e277391f3074dc76d4e92442bf1db0d7fb630f4896f27001bf4350062ddeb452887d1d6e69f6cac914bab6bad34e086a2fb8b6b951d23e4f7c
SSDEEP

24576:2cFXB3P/KiY386VWysaBaotyaD8u9hZ0Bc0TU522c:tWzXko8awdc0Ty22c

Score

10^/10

danabot 15 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

192.52.167.44:443

192.52.166.92:443

192.52.167.45:443

173.254.204.95:443

Attributes

embedded_hash
740FCC7615F224B3D909D4EC25568A2A
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

resource	yara_rule
behavioral1/memory/2772-0-0x0000000001F90000-0x00000000020ED000-memory.dmp	DanabotLoader2021
behavioral1/memory/2772-1-0x0000000001F90000-0x00000000020ED000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2772	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fef6b272e83c2db9338ad55ffb6e8f6e_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-0-0x0000000001F90000-0x00000000020ED000-memory.dmp

Filesize
1.4MB

Download
memory/2772-1-0x0000000001F90000-0x00000000020ED000-memory.dmp

Filesize
1.4MB

Download