Overview

overview

10

Static

static

3

76b7125caf...76.exe

windows7-x64

76b7125caf...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76b7125cafff8d6b77629def5a86199d912e7d76.exe

  • Size

    1.2MB

  • MD5

    0cd7b22bfcd2ae0ee4994e82b54fcf81

  • SHA1

    76b7125cafff8d6b77629def5a86199d912e7d76

  • SHA256

    d79c1cf0eb9bae702ffb9d6b9f571ad6ca15f5e3c532616b35895561a30335ed

  • SHA512

    1987b54d334523f89eaa9fa4084357062c86893d23d1cfd54cf10d10a58e41eace3d7f0cd3d075bf29d0d068225df38de09b89a3b55dad647770f13c6558fa50

  • SSDEEP

    24576:tqv8Vv5zCjHuU4izn7QRXDr1a0MIdYxJylZL6L9:tq0ZUlnkRXDr1xMIqLy2x

Score
10/10
danabot4bankerdiscoverytrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.192.232:443

142.11.242.31:443

192.210.222.88:443
Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 11 IoCs
  • Danabot family
    danabot
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76b7125cafff8d6b77629def5a86199d912e7d76.exe
    "C:\Users\Admin\AppData\Local\Temp\76b7125cafff8d6b77629def5a86199d912e7d76.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\76B712~1.DLL,s C:\Users\Admin\AppData\Local\Temp\76B712~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 508
      2⤵
      • Program crash
      PID:1864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1132 -ip 1132
    1⤵
      PID:3736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\76B712~1.DLL
      Filesize

      1.3MB

      MD5

      d35afc8295000e64904a97dfe00fcecd

      SHA1

      231c02f3784ddaf2fb332987f793a579c62a20d3

      SHA256

      5760e146167773329bb9551cc9f571b1b82e5429f33cfb398d741ca461e2082e

      SHA512

      af65ab37f26990bbf31d6ccdbc354d8daa94a4b66ee4fcbadb8b94483e8d07ad903c7171ebbd38b23b5e951b98545428dece0a2bdd34a83488775088baccc3fb

      Download Submit

    • memory/1132-12-0x0000000000400000-0x0000000000513000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1132-2-0x0000000000950000-0x0000000000A56000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1132-3-0x0000000000400000-0x0000000000513000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1132-1-0x0000000000850000-0x0000000000947000-memory.dmp

      Filesize

      988KB

      Download

    • memory/1132-11-0x0000000000950000-0x0000000000A56000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5020-21-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-13-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-9-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-22-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-23-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-24-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-25-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-26-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-27-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/5020-28-0x0000000002370000-0x00000000024D2000-memory.dmp

      Filesize

      1.4MB

      Download