danabot | 0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604

General

Target

a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
Size

1.1MB
MD5

a244a3b64b61f329489bb5d283bda840
SHA1

30cdd35ea5e3eeb0502a641bef81b9db71762230
SHA256

0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604
SHA512

293fa4bd0a3b86552d25ca864b0e5f6abb9c43e5d64bea5b694197ba375d74edeb0c27215fd4939dbf04d9b0805d8d7d2cf80f822539bc3772be3becd9c0c417
SSDEEP

12288:cpKrcz9GQmikzLgiaYb0ZPzxwbwgyScsWMifc0FrdbH7+esjQajwROmBVe3Rac26:UAcz9EikngXP6NB8cyz73OH6k86

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.133.7:443

185.62.58.85:443

213.227.155.102:443

192.236.146.173:443

Attributes

embedded_hash
63B180866F08EFD2B286E54429F1D1E4
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2520	rundll32.exe
6	2520	rundll32.exe
8	2520	rundll32.exe
9	2520	rundll32.exe
10	2520	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30
PID 2236 wrote to memory of 2520	2236	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	30

C:\Users\Admin\AppData\Local\Temp\a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x0000000000220000-0x00000000002FD000-memory.dmp

Filesize
884KB

Download
memory/2236-1-0x0000000000220000-0x00000000002FD000-memory.dmp

Filesize
884KB

Download
memory/2236-2-0x0000000002010000-0x0000000002231000-memory.dmp

Filesize
2.1MB

Download
memory/2236-3-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2236-4-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2236-5-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2236-6-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2236-8-0x0000000002010000-0x0000000002231000-memory.dmp

Filesize
2.1MB

Download
memory/2236-13-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2236-34-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2520-28-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/2520-14-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/2520-15-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/2520-30-0x00000000755D0000-0x00000000755D1000-memory.dmp

Filesize
4KB

Download
memory/2520-31-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2520-33-0x00000000755B0000-0x00000000756B0000-memory.dmp

Filesize
1024KB

Download
memory/2520-32-0x00000000755B0000-0x00000000756B0000-memory.dmp

Filesize
1024KB

Download
memory/2520-29-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2520-36-0x00000000755D0000-0x00000000755D1000-memory.dmp

Filesize
4KB

Download
memory/2520-37-0x00000000755B0000-0x00000000756B0000-memory.dmp

Filesize
1024KB

Download
memory/2520-38-0x00000000755B0000-0x00000000756B0000-memory.dmp

Filesize
1024KB

Download
memory/2520-41-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2520-42-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2520-44-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2520-49-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing