danabot | e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51

General

Target

3350aae4c4ebb8a9d200f05d1fd7950b.exe
Size

4.4MB
MD5

3350aae4c4ebb8a9d200f05d1fd7950b
SHA1

19468c85dd6772e7d5566bd9f3c216c4e8bfcfae
SHA256

e3433215e57803029ce2a3e019d844b377aeb77ea11e0154289fbd4c24838d51
SHA512

0646016c83f4da20138a4a9c710b368de53152000e8bce6cebfedea787bb9a1c94068078b88ba557976c12fa009c6cb72305dcafacdb85a6d59587cac2aeef86

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

108.62.118.103:443

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

Attributes

embedded_hash
49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	3192	RUNDLL32.EXE

Deletes itself 1 IoCs

pid	Process
3248	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
3248	rundll32.exe
3248	rundll32.exe
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3820	powershell.exe
3820	powershell.exe
3820	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	rundll32.exe
Token: SeDebugPrivilege	3192	RUNDLL32.EXE
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3192	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 3248	576	3350aae4c4ebb8a9d200f05d1fd7950b.exe	75
PID 576 wrote to memory of 3248	576	3350aae4c4ebb8a9d200f05d1fd7950b.exe	75
PID 576 wrote to memory of 3248	576	3350aae4c4ebb8a9d200f05d1fd7950b.exe	75
PID 3248 wrote to memory of 3192	3248	rundll32.exe	76
PID 3248 wrote to memory of 3192	3248	rundll32.exe	76
PID 3248 wrote to memory of 3192	3248	rundll32.exe	76
PID 3192 wrote to memory of 3380	3192	RUNDLL32.EXE	80
PID 3192 wrote to memory of 3380	3192	RUNDLL32.EXE	80
PID 3192 wrote to memory of 3380	3192	RUNDLL32.EXE	80
PID 3192 wrote to memory of 3820	3192	RUNDLL32.EXE	82
PID 3192 wrote to memory of 3820	3192	RUNDLL32.EXE	82
PID 3192 wrote to memory of 3820	3192	RUNDLL32.EXE	82
PID 3820 wrote to memory of 196	3820	powershell.exe	84
PID 3820 wrote to memory of 196	3820	powershell.exe	84
PID 3820 wrote to memory of 196	3820	powershell.exe	84
PID 3192 wrote to memory of 1224	3192	RUNDLL32.EXE	85
PID 3192 wrote to memory of 1224	3192	RUNDLL32.EXE	85
PID 3192 wrote to memory of 1224	3192	RUNDLL32.EXE	85
PID 3192 wrote to memory of 1004	3192	RUNDLL32.EXE	87
PID 3192 wrote to memory of 1004	3192	RUNDLL32.EXE	87
PID 3192 wrote to memory of 1004	3192	RUNDLL32.EXE	87

C:\Users\Admin\AppData\Local\Temp\3350aae4c4ebb8a9d200f05d1fd7950b.exe
"C:\Users\Admin\AppData\Local\Temp\3350aae4c4ebb8a9d200f05d1fd7950b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3350AA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\3350AA~1.EXE
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3350AA~1.DLL,ej48LDYSBQ==
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8310.tmp.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA446.tmp.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        5⤵
        
        PID:196
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-2-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3192-11-0x0000000004C80000-0x00000000052DF000-memory.dmp

Filesize
6.4MB

Download
memory/3248-7-0x00000000049A0000-0x0000000004FFF000-memory.dmp

Filesize
6.4MB

Download
memory/3380-20-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3380-18-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3380-21-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/3380-24-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/3380-25-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/3380-26-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/3380-27-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3380-19-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/3380-22-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/3380-13-0x00000000709C0000-0x00000000710AE000-memory.dmp

Filesize
6.9MB

Download
memory/3380-14-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3380-17-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/3380-15-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3380-16-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/3820-40-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/3820-37-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/3820-31-0x0000000070360000-0x0000000070A4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing