danabot | 4178f235c96e570925dc63c9d4576b49bac66fba0cff227d8f42d691ff0ebf93

General

Target

-BK-C-CTI.exe.dll
Size

5.7MB
MD5

f714cb42f51d508200da9286c4a171b0
SHA1

707c7920ade9ac71cc04b4e4dcf99536d76c46a3
SHA256

4178f235c96e570925dc63c9d4576b49bac66fba0cff227d8f42d691ff0ebf93
SHA512

50149c3dd12279ffb53ebf1eacd395b2269d20190369c11cad88bb77eefcb7decdb090eb424bf56ccbea66af5a3bde62a13f0c6b8d153309751fab8c1e0bbf7a

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

C2

192.161.48.5:443

192.3.26.98:443

142.44.224.16:443

192.236.162.42:443

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

13 1940 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
13	1940	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

3168 powershell.exe
3168 powershell.exe
3168 powershell.exe
1940 RUNDLL32.EXE
1940 RUNDLL32.EXE
528 powershell.exe
528 powershell.exe
528 powershell.exe

pid	process
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe
1940	RUNDLL32.EXE
1940	RUNDLL32.EXE
528	powershell.exe
528	powershell.exe
528	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4732	rundll32.exe
Token: SeDebugPrivilege	1940	RUNDLL32.EXE
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

1940 RUNDLL32.EXE

pid	process
1940	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4684 wrote to memory of 4732	4684	rundll32.exe	rundll32.exe
PID 4684 wrote to memory of 4732	4684	rundll32.exe	rundll32.exe
PID 4684 wrote to memory of 4732	4684	rundll32.exe	rundll32.exe
PID 4732 wrote to memory of 1940	4732	rundll32.exe	RUNDLL32.EXE
PID 4732 wrote to memory of 1940	4732	rundll32.exe	RUNDLL32.EXE
PID 4732 wrote to memory of 1940	4732	rundll32.exe	RUNDLL32.EXE
PID 1940 wrote to memory of 3168	1940	RUNDLL32.EXE	powershell.exe
PID 1940 wrote to memory of 3168	1940	RUNDLL32.EXE	powershell.exe
PID 1940 wrote to memory of 3168	1940	RUNDLL32.EXE	powershell.exe
PID 1940 wrote to memory of 528	1940	RUNDLL32.EXE	powershell.exe
PID 1940 wrote to memory of 528	1940	RUNDLL32.EXE	powershell.exe
PID 1940 wrote to memory of 528	1940	RUNDLL32.EXE	powershell.exe
PID 528 wrote to memory of 1472	528	powershell.exe	nslookup.exe
PID 528 wrote to memory of 1472	528	powershell.exe	nslookup.exe
PID 528 wrote to memory of 1472	528	powershell.exe	nslookup.exe
PID 1940 wrote to memory of 1632	1940	RUNDLL32.EXE	schtasks.exe
PID 1940 wrote to memory of 1632	1940	RUNDLL32.EXE	schtasks.exe
PID 1940 wrote to memory of 1632	1940	RUNDLL32.EXE	schtasks.exe
PID 1940 wrote to memory of 1868	1940	RUNDLL32.EXE	schtasks.exe
PID 1940 wrote to memory of 1868	1940	RUNDLL32.EXE	schtasks.exe
PID 1940 wrote to memory of 1868	1940	RUNDLL32.EXE	schtasks.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,ZU0YTI3N
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp50C5.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6597.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bcc028eb6b55c8585ce33d68a7a5ed9a

SHA1
82aab021e185761e58658d4dc736ecccd9dab596

SHA256
f0bcd110e0beed7076c449dddc2b2a01e0f4916b1d62b13ed2285db2472c0b50

SHA512
6790ed8fdbd20c197bbeb298528212300384052049a2e9f953ab59a967cac70cb1f5f2e92afb2e5f42c6d8fed15ea22bfa440258250ab588fb26e9e3f38a557d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50C5.tmp.ps1
MD5
ec75debaa421462746d2ff46dcd46d88

SHA1
5a2883e7d2c58b45c05a0c4f597d08690f788123

SHA256
6e3eed2d95734f849d9b21dcd27b380af7d258e97952fdb9749de92adba19288

SHA512
2d42c1fdde810a22ba21a19a983b9dfc0b7696b5df7afd94dc34e5e668809685b67843ef2066d5fcf8acb30d3387876b70c7d6d40b523d1ee8ab991906ad0b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50C6.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6597.tmp.ps1
MD5
2ce836512b4c01291b6ffed3a572a885

SHA1
0fbcdf6b8241849dc0cb464a7ca96b4c8dbc07f2

SHA256
875191c9b6dc70cf666d7a7a19319b75c4216ae36acfebf0069e1352af17fc22

SHA512
a49ba29f0c2445c081c0c7d9acd3e69745be1c4f9ac4927ca658ad78a93afd0ccde74639e3094d34f22b390849efaab4048013fdf05d2e40ae1e71e2f09e4762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6598.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/528-39-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/528-41-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/528-42-0x00000000043C2000-0x00000000043C3000-memory.dmp

Filesize
4KB

Download
memory/528-50-0x00000000043C3000-0x00000000043C4000-memory.dmp

Filesize
4KB

Download
memory/528-36-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/528-30-0x0000000070AE0000-0x00000000711CE000-memory.dmp

Filesize
6.9MB

Download
memory/528-28-0x0000000000000000-mapping.dmp

Download
memory/1472-47-0x0000000000000000-mapping.dmp

Download
memory/1632-49-0x0000000000000000-mapping.dmp

Download
memory/1868-51-0x0000000000000000-mapping.dmp

Download
memory/1940-40-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1940-7-0x0000000004DC1000-0x0000000005422000-memory.dmp

Filesize
6.4MB

Download
memory/1940-3-0x0000000000000000-mapping.dmp

Download
memory/3168-12-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3168-15-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/3168-24-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/3168-25-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3168-22-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/3168-27-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/3168-20-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/3168-19-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/3168-18-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/3168-17-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/3168-16-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/3168-23-0x000000000A080000-0x000000000A081000-memory.dmp

Filesize
4KB

Download
memory/3168-14-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/3168-8-0x0000000000000000-mapping.dmp

Download
memory/3168-13-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/3168-11-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3168-10-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3168-9-0x0000000071140000-0x000000007182E000-memory.dmp

Filesize
6.9MB

Download
memory/4732-2-0x0000000000000000-mapping.dmp

Download
memory/4732-6-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/4732-5-0x0000000005581000-0x0000000005BE2000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads