danabot | 5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e

General

Target

5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e.dll
Size

3.8MB
MD5

d3b160b380f339cf0b4c29267aebc91c
SHA1

baf99ef4c133d4fa188c6605becec34171529d7e
SHA256

5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e
SHA512

41356354a039beb2d9f3c6fa1ee4347f24571dcffdacac2a6a443399d3adefef88208661ba2c6f986ab5d6b63bf8f6236af77427becc81f6f4b0d7418524ac7d

Score

10^/10

danabot 13 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

13

C2

47.254.174.158:1024

Attributes

embedded_hash
00C31B5429D08F1D693B2EF8273492D2

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

15 1728 RUNDLL32.EXE
16 1728 RUNDLL32.EXE
17 1728 RUNDLL32.EXE
18 1728 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	1728	RUNDLL32.EXE
16	1728	RUNDLL32.EXE
17	1728	RUNDLL32.EXE
18	1728	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
1728	RUNDLL32.EXE
1728	RUNDLL32.EXE
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4088	rundll32.exe
Token: SeDebugPrivilege	1728	RUNDLL32.EXE
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

1728 RUNDLL32.EXE

pid	process
1728	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4012 wrote to memory of 4088	4012	rundll32.exe	rundll32.exe
PID 4012 wrote to memory of 4088	4012	rundll32.exe	rundll32.exe
PID 4012 wrote to memory of 4088	4012	rundll32.exe	rundll32.exe
PID 4088 wrote to memory of 1728	4088	rundll32.exe	RUNDLL32.EXE
PID 4088 wrote to memory of 1728	4088	rundll32.exe	RUNDLL32.EXE
PID 4088 wrote to memory of 1728	4088	rundll32.exe	RUNDLL32.EXE
PID 1728 wrote to memory of 2868	1728	RUNDLL32.EXE	powershell.exe
PID 1728 wrote to memory of 2868	1728	RUNDLL32.EXE	powershell.exe
PID 1728 wrote to memory of 2868	1728	RUNDLL32.EXE	powershell.exe
PID 1728 wrote to memory of 3980	1728	RUNDLL32.EXE	powershell.exe
PID 1728 wrote to memory of 3980	1728	RUNDLL32.EXE	powershell.exe
PID 1728 wrote to memory of 3980	1728	RUNDLL32.EXE	powershell.exe
PID 3980 wrote to memory of 3572	3980	powershell.exe	nslookup.exe
PID 3980 wrote to memory of 3572	3980	powershell.exe	nslookup.exe
PID 3980 wrote to memory of 3572	3980	powershell.exe	nslookup.exe
PID 1728 wrote to memory of 1956	1728	RUNDLL32.EXE	schtasks.exe
PID 1728 wrote to memory of 1956	1728	RUNDLL32.EXE	schtasks.exe
PID 1728 wrote to memory of 1956	1728	RUNDLL32.EXE	schtasks.exe
PID 1728 wrote to memory of 1888	1728	RUNDLL32.EXE	schtasks.exe
PID 1728 wrote to memory of 1888	1728	RUNDLL32.EXE	schtasks.exe
PID 1728 wrote to memory of 1888	1728	RUNDLL32.EXE	schtasks.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\5ddad1b5a2f6225a823c9f50d5e58f251cdf7c403470143322296d993c0fee6e.dll,MQsmLDYoAWT4
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3ED4.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp554C.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e204aecbdd076ba273f355d64b7360b4

SHA1
31027e765e55bf30cd9ec96ee107d4d5c6d1dd88

SHA256
be85b7fef12ab206c0f36be45d6177e3ea05b386da0b31a188ad2c1f7cecad47

SHA512
d8b2b5a0532b561aa4bffade59cbd2eeb8e7d3bc735287974aed9c254bd016ae09c1b2825080370120a402000f0e3db21f1ce9dda8fe1db2a8babd67aab85201

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3ED4.tmp.ps1
MD5
7220f4f8f3f5832e8fa0a5656ee9dc20

SHA1
6eff407770ac369c3a881057244a8f3914b12b46

SHA256
50d71eac1cafb4818a37eccdf9324ea7b6610856c2d49524bab8b5cabd29faac

SHA512
92a7376593249a3f14e61e234f6cd815b2bf7e9c4f5b585df3a320172c51910740f7ca5c4cb5ab71a2a0e5861af6b01da020fa95ca75e3386319827b3ae7fc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3ED5.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp554C.tmp.ps1
MD5
ad0120f5286d7fdc4c5bb683a99db0c6

SHA1
2218f2309fe9159b9c31f46b78fc595022335a8f

SHA256
f4bc39c392fe1c03f1109156cd12817ed9429e93d82d57ff82868bd05700b053

SHA512
420cbc8a6fb2290753eb4495b393266a3ba6c9cfd864374cd7dcec0840c00a80e45f82e5c160592405445da03ef9d2cd9e9dfa3ccbaea971e4929d4a673ec5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp554D.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/1728-9-0x0000000000000000-mapping.dmp

Download
memory/1728-11-0x0000000004C21000-0x0000000005282000-memory.dmp

Filesize
6.4MB

Download
memory/1888-56-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000000000000-mapping.dmp

Download
memory/2868-18-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2868-28-0x00000000088B0000-0x00000000088B1000-memory.dmp

Filesize
4KB

Download
memory/2868-21-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/2868-22-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/2868-23-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/2868-24-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/2868-25-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/2868-26-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/2868-19-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/2868-15-0x00000000714D0000-0x0000000071BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-29-0x0000000009F10000-0x0000000009F11000-memory.dmp

Filesize
4KB

Download
memory/2868-30-0x00000000094A0000-0x00000000094A1000-memory.dmp

Filesize
4KB

Download
memory/2868-31-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/2868-14-0x0000000000000000-mapping.dmp

Download
memory/2868-33-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/2868-20-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/2868-17-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/2868-16-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3572-52-0x0000000000000000-mapping.dmp

Download
memory/3980-34-0x0000000000000000-mapping.dmp

Download
memory/3980-45-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/3980-47-0x0000000006EB2000-0x0000000006EB3000-memory.dmp

Filesize
4KB

Download
memory/3980-46-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/3980-43-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3980-36-0x0000000070E70000-0x000000007155E000-memory.dmp

Filesize
6.9MB

Download
memory/3980-55-0x0000000006EB3000-0x0000000006EB4000-memory.dmp

Filesize
4KB

Download
memory/4088-2-0x0000000000000000-mapping.dmp

Download
memory/4088-10-0x0000000004AA1000-0x0000000005102000-memory.dmp

Filesize
6.4MB

Download
memory/4088-3-0x0000000000BE1000-0x0000000000F9A000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads