danabot | 0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
Size

1.1MB
MD5

a244a3b64b61f329489bb5d283bda840
SHA1

30cdd35ea5e3eeb0502a641bef81b9db71762230
SHA256

0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604
SHA512

293fa4bd0a3b86552d25ca864b0e5f6abb9c43e5d64bea5b694197ba375d74edeb0c27215fd4939dbf04d9b0805d8d7d2cf80f822539bc3772be3becd9c0c417
SSDEEP

12288:cpKrcz9GQmikzLgiaYb0ZPzxwbwgyScsWMifc0FrdbH7+esjQajwROmBVe3Rac26:UAcz9EikngXP6NB8cyz73OH6k86

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.133.7:443

185.62.58.85:443

213.227.155.102:443

192.236.146.173:443

Attributes

embedded_hash
63B180866F08EFD2B286E54429F1D1E4
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 37 IoCs

Processes:

rundll32.exe

flow	pid	process
41	3168	rundll32.exe
43	3168	rundll32.exe
44	3168	rundll32.exe
45	3168	rundll32.exe
46	3168	rundll32.exe
47	3168	rundll32.exe
48	3168	rundll32.exe
49	3168	rundll32.exe
50	3168	rundll32.exe
51	3168	rundll32.exe
52	3168	rundll32.exe
53	3168	rundll32.exe
54	3168	rundll32.exe
55	3168	rundll32.exe
56	3168	rundll32.exe
57	3168	rundll32.exe
60	3168	rundll32.exe
62	3168	rundll32.exe
63	3168	rundll32.exe
64	3168	rundll32.exe
65	3168	rundll32.exe
66	3168	rundll32.exe
67	3168	rundll32.exe
68	3168	rundll32.exe
69	3168	rundll32.exe
70	3168	rundll32.exe
71	3168	rundll32.exe
72	3168	rundll32.exe
73	3168	rundll32.exe
74	3168	rundll32.exe
75	3168	rundll32.exe
77	3168	rundll32.exe
78	3168	rundll32.exe
79	3168	rundll32.exe
80	3168	rundll32.exe
81	3168	rundll32.exe
85	3168	rundll32.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2928 3564 WerFault.exe a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
4024 3564 WerFault.exe a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe

pid	pid_target	process	target process
2928	3564	WerFault.exe	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
4024	3564	WerFault.exe	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe

description	pid	process	target process
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe
PID 3564 wrote to memory of 3168	3564	a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a244a3b64b61f329489bb5d283bda840_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 612
2⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 684
2⤵
- Program crash
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3564 -ip 3564
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3564 -ip 3564
1⤵
PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-41-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-57-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-15-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/3168-18-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-19-0x0000000076D20000-0x0000000076EC0000-memory.dmp

Filesize
1.6MB

Download
memory/3168-76-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-75-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-74-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-73-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-20-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-21-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-22-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-23-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-40-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-72-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-71-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-69-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-68-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-67-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-66-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-26-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-27-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-28-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-29-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-17-0x0000000076D64000-0x0000000076D65000-memory.dmp

Filesize
4KB

Download
memory/3168-31-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-32-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-33-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-34-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-35-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-36-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-37-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-47-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-24-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-30-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-42-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-43-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-44-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-45-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-46-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-38-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-48-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-49-0x0000000076D64000-0x0000000076D65000-memory.dmp

Filesize
4KB

Download
memory/3168-50-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-51-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-52-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-53-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-55-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-56-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-16-0x0000000077064000-0x0000000077065000-memory.dmp

Filesize
4KB

Download
memory/3168-58-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-59-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-60-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-61-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-62-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-63-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-64-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3168-65-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download
memory/3564-25-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-14-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-9-0x0000000002420000-0x0000000002641000-memory.dmp

Filesize
2.1MB

Download
memory/3564-7-0x0000000002330000-0x0000000002418000-memory.dmp

Filesize
928KB

Download
memory/3564-6-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-5-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-4-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-3-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3564-2-0x0000000002420000-0x0000000002641000-memory.dmp

Filesize
2.1MB

Download
memory/3564-1-0x0000000002330000-0x0000000002418000-memory.dmp

Filesize
928KB

Download