danabot | dc3d8c3f1d1991dca9dd82a1943e519e4049ee0a34f89af6c961adbfcd1a6918

Analysis

max time kernel
134s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe
Size

5.8MB
MD5

8489eaf91d0c39c9dcca9f1a6ca5af1d
SHA1

831ec0fa5cbff0997af659a62ddc3a0a25abedc8
SHA256

dc3d8c3f1d1991dca9dd82a1943e519e4049ee0a34f89af6c961adbfcd1a6918
SHA512

0a5b73b68d642d317f475c199f9e2a9aaedf0f73e9a507dc019d6b1d97528297e12df4e656ea9f916b6a331b6018f3f7e771bbea7e9d3040862d2f48e61f6fc4

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

23.106.123.249:443

23.106.123.141:443

23.254.225.170:443

134.119.186.216:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

12 4432 RUNDLL32.EXE
13 4432 RUNDLL32.EXE
18 4432 RUNDLL32.EXE
19 4432 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

3164 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3164 rundll32.exe
3164 rundll32.exe
4432 RUNDLL32.EXE
4432 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
12	4432	RUNDLL32.EXE
13	4432	RUNDLL32.EXE
18	4432	RUNDLL32.EXE
19	4432	RUNDLL32.EXE

pid	process
3164	rundll32.exe

pid	process
3164	rundll32.exe
3164	rundll32.exe
4432	RUNDLL32.EXE
4432	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
4432	RUNDLL32.EXE
4432	RUNDLL32.EXE
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3164	rundll32.exe
Token: SeDebugPrivilege	4432	RUNDLL32.EXE
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

4432 RUNDLL32.EXE

pid	process
4432	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 4772 wrote to memory of 3164	4772	SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe	rundll32.exe
PID 4772 wrote to memory of 3164	4772	SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe	rundll32.exe
PID 4772 wrote to memory of 3164	4772	SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe	rundll32.exe
PID 3164 wrote to memory of 4432	3164	rundll32.exe	RUNDLL32.EXE
PID 3164 wrote to memory of 4432	3164	rundll32.exe	RUNDLL32.EXE
PID 3164 wrote to memory of 4432	3164	rundll32.exe	RUNDLL32.EXE
PID 4432 wrote to memory of 4524	4432	RUNDLL32.EXE	powershell.exe
PID 4432 wrote to memory of 4524	4432	RUNDLL32.EXE	powershell.exe
PID 4432 wrote to memory of 4524	4432	RUNDLL32.EXE	powershell.exe
PID 4432 wrote to memory of 1784	4432	RUNDLL32.EXE	powershell.exe
PID 4432 wrote to memory of 1784	4432	RUNDLL32.EXE	powershell.exe
PID 4432 wrote to memory of 1784	4432	RUNDLL32.EXE	powershell.exe
PID 1784 wrote to memory of 4716	1784	powershell.exe	nslookup.exe
PID 1784 wrote to memory of 4716	1784	powershell.exe	nslookup.exe
PID 1784 wrote to memory of 4716	1784	powershell.exe	nslookup.exe
PID 4432 wrote to memory of 4732	4432	RUNDLL32.EXE	schtasks.exe
PID 4432 wrote to memory of 4732	4432	RUNDLL32.EXE	schtasks.exe
PID 4432 wrote to memory of 4732	4432	RUNDLL32.EXE	schtasks.exe
PID 4432 wrote to memory of 192	4432	RUNDLL32.EXE	schtasks.exe
PID 4432 wrote to memory of 192	4432	RUNDLL32.EXE	schtasks.exe
PID 4432 wrote to memory of 192	4432	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.2200.14031.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,RSYfLDaeBXw=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2358.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3A9B.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:4716

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:4732

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5e2b7e71056266dfcc2ac7d15021ddea

SHA1
02686c81115293221d1915042ed58dff765dd56b

SHA256
0d583a3d3e719160f1ac05317b5c86f1803d5e0c97a86aaf853a2341bac45ce3

SHA512
0a6ddbfa0eef39c7bee6c7f8cefc3638dbfe93082e05e18ea6ddd5a20fd70f49ca0d0b04964688f402f62a835239bb991e7a288e9d1b60208cce1869acc9e6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
d4010f789559c6c981ab6d80854e9576

SHA1
598209c8242bba79d090feb16a80c1326a5617aa

SHA256
10eb11561e10d9c483b9acee032cdcfb5ee6218901de951029ddb740b5a99784

SHA512
438f238feed48a3bab69ca918ed249e6b7e18e558855fa53283f81097754f350e6f448008d3d1a7d1710319b44fba6a2bbf6019664d09a7bc97ba915d559f0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2358.tmp.ps1
MD5
273b97e8f7d24a79dfe8c1623e673b9a

SHA1
9189527216bf07690787e713b5a35e48a615cd71

SHA256
c66b80930066a0ec2c3cf77a8c3b3554566fcc496eb45f1b90879121ad4de23e

SHA512
69d72395510aee84a4fbd54e57fd779f39f5d688262d41835de4aff1627eddf999d96b425602bffb1053182f8c473f750c9d498d53482928b081f490b30cdbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2359.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A9B.tmp.ps1
MD5
8f1a12a42b22a9cc800aae77adee1cd0

SHA1
77b36f9a2874539bcde947dd8d9dc8a80a9fae6e

SHA256
3c423a62830444b0852b7aecd27499c0c71061db94122155c5d5a15a1bc8bc93

SHA512
b36bd693574b854a1d76df9f90c30f0f97fce5f10e673d96ec05e0c864990e4c85c1563d1a93e808e6ae7ffbcb4aae459ad92215445a0438f930b776c9c22fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A9C.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
d4010f789559c6c981ab6d80854e9576

SHA1
598209c8242bba79d090feb16a80c1326a5617aa

SHA256
10eb11561e10d9c483b9acee032cdcfb5ee6218901de951029ddb740b5a99784

SHA512
438f238feed48a3bab69ca918ed249e6b7e18e558855fa53283f81097754f350e6f448008d3d1a7d1710319b44fba6a2bbf6019664d09a7bc97ba915d559f0e5

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
d4010f789559c6c981ab6d80854e9576

SHA1
598209c8242bba79d090feb16a80c1326a5617aa

SHA256
10eb11561e10d9c483b9acee032cdcfb5ee6218901de951029ddb740b5a99784

SHA512
438f238feed48a3bab69ca918ed249e6b7e18e558855fa53283f81097754f350e6f448008d3d1a7d1710319b44fba6a2bbf6019664d09a7bc97ba915d559f0e5

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
d4010f789559c6c981ab6d80854e9576

SHA1
598209c8242bba79d090feb16a80c1326a5617aa

SHA256
10eb11561e10d9c483b9acee032cdcfb5ee6218901de951029ddb740b5a99784

SHA512
438f238feed48a3bab69ca918ed249e6b7e18e558855fa53283f81097754f350e6f448008d3d1a7d1710319b44fba6a2bbf6019664d09a7bc97ba915d559f0e5

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
d4010f789559c6c981ab6d80854e9576

SHA1
598209c8242bba79d090feb16a80c1326a5617aa

SHA256
10eb11561e10d9c483b9acee032cdcfb5ee6218901de951029ddb740b5a99784

SHA512
438f238feed48a3bab69ca918ed249e6b7e18e558855fa53283f81097754f350e6f448008d3d1a7d1710319b44fba6a2bbf6019664d09a7bc97ba915d559f0e5

Download Submit
memory/192-194-0x0000000000000000-mapping.dmp

Download
memory/1784-180-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/1784-176-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/1784-175-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/1784-177-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/1784-165-0x0000000000000000-mapping.dmp

Download
memory/1784-192-0x0000000006FF3000-0x0000000006FF4000-memory.dmp

Filesize
4KB

Download
memory/3164-131-0x0000000005261000-0x00000000058BF000-memory.dmp

Filesize
6.4MB

Download
memory/3164-117-0x0000000000000000-mapping.dmp

Download
memory/3164-121-0x0000000004600000-0x0000000004BBA000-memory.dmp

Filesize
5.7MB

Download
memory/3164-122-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3164-132-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4432-138-0x0000000005301000-0x000000000595F000-memory.dmp

Filesize
6.4MB

Download
memory/4432-127-0x0000000000000000-mapping.dmp

Download
memory/4432-130-0x00000000046B0000-0x0000000004C6A000-memory.dmp

Filesize
5.7MB

Download
memory/4432-174-0x0000000002D00000-0x0000000002E4A000-memory.dmp

Filesize
1.3MB

Download
memory/4432-133-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4524-150-0x0000000008860000-0x0000000008861000-memory.dmp

Filesize
4KB

Download
memory/4524-144-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4524-154-0x0000000008C50000-0x0000000008C51000-memory.dmp

Filesize
4KB

Download
memory/4524-159-0x000000000A320000-0x000000000A321000-memory.dmp

Filesize
4KB

Download
memory/4524-160-0x00000000098A0000-0x00000000098A1000-memory.dmp

Filesize
4KB

Download
memory/4524-161-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/4524-139-0x0000000000000000-mapping.dmp

Download
memory/4524-164-0x0000000005083000-0x0000000005084000-memory.dmp

Filesize
4KB

Download
memory/4524-152-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/4524-151-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/4524-143-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/4524-145-0x0000000005082000-0x0000000005083000-memory.dmp

Filesize
4KB

Download
memory/4524-149-0x0000000008450000-0x0000000008451000-memory.dmp

Filesize
4KB

Download
memory/4524-148-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/4524-147-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/4524-146-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/4524-142-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4716-189-0x0000000000000000-mapping.dmp

Download
memory/4732-193-0x0000000000000000-mapping.dmp

Download
memory/4772-114-0x00000000055B0000-0x0000000005CA5000-memory.dmp

Filesize
7.0MB

Download
memory/4772-116-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/4772-115-0x0000000000400000-0x0000000003149000-memory.dmp

Filesize
45.3MB

Download