Overview

overview

10

Static

static

3

551ea10103...1d.exe

windows7-x64

10

551ea10103...1d.exe

windows10-2004-x64

10

Resubmissions

03/09/2024, 14:59

240903-sc2res1dqc 10

03/09/2024, 14:55

240903-saylzszdnn 10

Analysis

  • max time kernel
    52s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe

  • Size

    1.2MB

  • MD5

    aae3bdf6a69bea9f0c318fd6d0d734a9

  • SHA1

    8b66f377b26971f7ca04cd195a8b259c0de6af2e

  • SHA256

    551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d

  • SHA512

    c0cdf71d41b1a932a778b3d654f3e912d387fb67040c5643e083860ee95a6e33526aee3fb210489244708addb2eef69cfe8260f2918f2cceaa6c6a6ef56bdcd1

  • SSDEEP

    24576:MOKVUR8pBibV0bNUuKEa39XuktoabwxHnO0cmhMO3z39+aVBYPzP4sEv0:M7mR8pBi50bdKEa1H9b0HWvEzbXYks/

Score
10/10
danabot4bankerdiscoverytrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443
Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 4 IoCs
  • Loads dropped DLL 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe
    "C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\551EA1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\551EA1~1.EXE
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3040
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\551EA1~1.DLL
    Filesize

    1.3MB

    MD5

    71cef61feea7c6f6018b7d3dadf8ae39

    SHA1

    89f2b9575ff3c7017f19200b97a3d63387aaa03b

    SHA256

    c7294508b36e2efdfab438ac38d9a098cc0d08aca5f2bead321a142bda08133e

    SHA512

    08731bd0ffdfeebd7d2ac2e142fe5169d8bd79e61cd6b97ccffdb46ae31c74217d08d1bddcbcd2e5a8ecb3c3e702bd3dec2b8e7dac582c6ab6ee613bb2b95352

    Download Submit

  • memory/2096-8-0x0000000000400000-0x0000000000512000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2096-0-0x0000000000220000-0x000000000030E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2096-3-0x0000000000400000-0x0000000000512000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2096-1-0x0000000000220000-0x000000000030E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2096-10-0x0000000004870000-0x0000000004975000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2096-6-0x0000000000400000-0x0000000002FF1000-memory.dmp

    Filesize

    43.9MB

    Download

  • memory/2096-2-0x0000000004870000-0x0000000004975000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2096-9-0x0000000000220000-0x000000000030E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2720-18-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2720-19-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2720-21-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2720-22-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2720-23-0x00000000024A0000-0x00000000024B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3040-16-0x0000000001FC0000-0x0000000002121000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3040-15-0x0000000001FC0000-0x0000000002121000-memory.dmp

    Filesize

    1.4MB

    Download