danabot | a954e03d2300786bf77ab0caab269c05b75c34d62e0497979bfbb6919befcff5

Analysis

max time kernel
104s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
26-02-2021 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bull.exe
Size

6.0MB
MD5

03b1daa2ee50da70c70c779b7471f492
SHA1

dfccc553dd00dee74dc212373a82cae24e2648b5
SHA256

a954e03d2300786bf77ab0caab269c05b75c34d62e0497979bfbb6919befcff5
SHA512

5992a51209077ef25069c6c2e2a8f7f30e049e4938c9f0be49d3eaa02267f307d7fc23b5589151d910a5ff66fe20dd0c798a0b0b403597f311cf145d5ee9ef4e

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

192.3.26.98:443

192.236.146.203:443

142.44.224.16:443

192.161.48.5:443

Attributes

embedded_hash
B2585F6479280F48B64C99F950BBF36D

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

11 4044 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

3068 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3068 rundll32.exe
3068 rundll32.exe
4044 RUNDLL32.EXE
4044 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
11	4044	RUNDLL32.EXE

pid	process
3068	rundll32.exe

pid	process
3068	rundll32.exe
3068	rundll32.exe
4044	RUNDLL32.EXE
4044	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
4044	RUNDLL32.EXE
4044	RUNDLL32.EXE
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3068	rundll32.exe
Token: SeDebugPrivilege	4044	RUNDLL32.EXE
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4044 RUNDLL32.EXE

pid	process
4044	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

bull.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3620 wrote to memory of 3068	3620	bull.exe	rundll32.exe
PID 3620 wrote to memory of 3068	3620	bull.exe	rundll32.exe
PID 3620 wrote to memory of 3068	3620	bull.exe	rundll32.exe
PID 3068 wrote to memory of 4044	3068	rundll32.exe	RUNDLL32.EXE
PID 3068 wrote to memory of 4044	3068	rundll32.exe	RUNDLL32.EXE
PID 3068 wrote to memory of 4044	3068	rundll32.exe	RUNDLL32.EXE
PID 4044 wrote to memory of 2640	4044	RUNDLL32.EXE	powershell.exe
PID 4044 wrote to memory of 2640	4044	RUNDLL32.EXE	powershell.exe
PID 4044 wrote to memory of 2640	4044	RUNDLL32.EXE	powershell.exe
PID 4044 wrote to memory of 1784	4044	RUNDLL32.EXE	powershell.exe
PID 4044 wrote to memory of 1784	4044	RUNDLL32.EXE	powershell.exe
PID 4044 wrote to memory of 1784	4044	RUNDLL32.EXE	powershell.exe
PID 1784 wrote to memory of 208	1784	powershell.exe	nslookup.exe
PID 1784 wrote to memory of 208	1784	powershell.exe	nslookup.exe
PID 1784 wrote to memory of 208	1784	powershell.exe	nslookup.exe
PID 4044 wrote to memory of 4036	4044	RUNDLL32.EXE	schtasks.exe
PID 4044 wrote to memory of 4036	4044	RUNDLL32.EXE	schtasks.exe
PID 4044 wrote to memory of 4036	4044	RUNDLL32.EXE	schtasks.exe
PID 4044 wrote to memory of 2712	4044	RUNDLL32.EXE	schtasks.exe
PID 4044 wrote to memory of 2712	4044	RUNDLL32.EXE	schtasks.exe
PID 4044 wrote to memory of 2712	4044	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bull.exe
"C:\Users\Admin\AppData\Local\Temp\bull.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\bull.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL,iTtOLDbmBDw=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7A08.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp92B2.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:208

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
907da3b9e992f2491546f22c3f834afe

SHA1
34d1fcc692c2c4908ad23fb9cccecc8e57022bb9

SHA256
53f2376cbce7f17d10a8363ed7dee771198b9fd60c8e02c4772df5250a5e3fc1

SHA512
0f1fa8d1dee1ef4d2ac2c2ad20e72399a82918a0b8b36a9f5ad6a1713a27c3d9f08fdc94a31162de7f5e71592aae4f3880ece40853304e3f4e460f8f6a6c046a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL
MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A08.tmp.ps1
MD5
532cd70c385c66ff53c2b66e6b6b6428

SHA1
71ac5c9696aacd8ad5e7957d37e92c4463d7d99d

SHA256
388ffb75a42c4ecd3d1fcf223b73d285ae235e534075438978034967ea8b3426

SHA512
49fbf33bc369a3c1dd2f22dfa90bf8d0bb13c95357127a0b83a76e931c94210c3e163f0a524e8805ad4a2a66b760adaf7a4627c6c776aa95c940f180d4d889f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A09.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92B2.tmp.ps1
MD5
9ee083be5cc04d3bd7da3d84aa55e36d

SHA1
b685d65f1543d3986f83e45b5399903118fb7b33

SHA256
ec357069bbf07804fc279ff0c2100d37f4cd7ad2c50ef28b2800e0f517c66140

SHA512
89fbd3e8685eff2e3b0ab8033b27b6108cc74d46a8f3297728a47af85809fe5c6280fad90bf5af096ddd5cf7b41a4a346880e016a4b34176d7bc0e07debb39bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92B3.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL
MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL
MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL
MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
\Users\Admin\AppData\Local\Temp\BULLEX~1.DLL
MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
memory/208-59-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x0000000008660000-0x0000000008661000-memory.dmp

Filesize
4KB

Download
memory/1784-51-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/1784-46-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1784-47-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/1784-42-0x0000000070DE0000-0x00000000714CE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-40-0x0000000000000000-mapping.dmp

Download
memory/1784-60-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/2640-29-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2640-39-0x0000000006AC3000-0x0000000006AC4000-memory.dmp

Filesize
4KB

Download
memory/2640-26-0x0000000006AC2000-0x0000000006AC3000-memory.dmp

Filesize
4KB

Download
memory/2640-27-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2640-28-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/2640-20-0x0000000000000000-mapping.dmp

Download
memory/2640-30-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2640-31-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2640-32-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/2640-24-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2640-34-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/2640-35-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/2640-36-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/2640-37-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2640-23-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/2640-25-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/2640-22-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2640-21-0x0000000071440000-0x0000000071B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-63-0x0000000000000000-mapping.dmp

Download
memory/3068-10-0x0000000004781000-0x0000000004CF4000-memory.dmp

Filesize
5.4MB

Download
memory/3068-18-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3068-17-0x0000000005251000-0x00000000058B2000-memory.dmp

Filesize
6.4MB

Download
memory/3068-6-0x0000000000000000-mapping.dmp

Download
memory/3620-2-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/3620-5-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3620-4-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3620-3-0x00000000018B0000-0x0000000001FA7000-memory.dmp

Filesize
7.0MB

Download
memory/4036-62-0x0000000000000000-mapping.dmp

Download
memory/4044-19-0x0000000004D81000-0x00000000053E2000-memory.dmp

Filesize
6.4MB

Download
memory/4044-13-0x0000000000000000-mapping.dmp

Download
memory/4044-45-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download