danabot | 13f4892e2108e176a73353d8e5b0d1a7c1721eb41b11921ee01300419373b374

Analysis

max time kernel
132s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
10-04-2021 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intercom.exe
Size

5.9MB
MD5

aa93361d01ad033f88e422a2c845b045
SHA1

3bc3c157a3a0e0a1e558458c818345f19cc8112a
SHA256

13f4892e2108e176a73353d8e5b0d1a7c1721eb41b11921ee01300419373b374
SHA512

6fa96cc15642d0869bf90417695332e8a984048bf6e13beb6a7d8fa494386c957d5e960df028157d76d6d915df3bf728c3bf9cfdadfa8e7e86bad6eb51ce8c23

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

193.34.167.88:443

192.3.26.107:443

23.81.246.201:443

134.119.186.216:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

RUNDLL32.EXE

flow pid process

8 3724 RUNDLL32.EXE
12 3724 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

2804 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2804 rundll32.exe
3724 RUNDLL32.EXE
3724 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
8	3724	RUNDLL32.EXE
12	3724	RUNDLL32.EXE

pid	process
2804	rundll32.exe

pid	process
2804	rundll32.exe
3724	RUNDLL32.EXE
3724	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3508	powershell.exe
3508	powershell.exe
3508	powershell.exe
3724	RUNDLL32.EXE
3724	RUNDLL32.EXE
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	rundll32.exe
Token: SeDebugPrivilege	3724	RUNDLL32.EXE
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3724 RUNDLL32.EXE

pid	process
3724	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

intercom.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3540 wrote to memory of 2804	3540	intercom.exe	rundll32.exe
PID 3540 wrote to memory of 2804	3540	intercom.exe	rundll32.exe
PID 3540 wrote to memory of 2804	3540	intercom.exe	rundll32.exe
PID 2804 wrote to memory of 3724	2804	rundll32.exe	RUNDLL32.EXE
PID 2804 wrote to memory of 3724	2804	rundll32.exe	RUNDLL32.EXE
PID 2804 wrote to memory of 3724	2804	rundll32.exe	RUNDLL32.EXE
PID 3724 wrote to memory of 3508	3724	RUNDLL32.EXE	powershell.exe
PID 3724 wrote to memory of 3508	3724	RUNDLL32.EXE	powershell.exe
PID 3724 wrote to memory of 3508	3724	RUNDLL32.EXE	powershell.exe
PID 3724 wrote to memory of 3624	3724	RUNDLL32.EXE	powershell.exe
PID 3724 wrote to memory of 3624	3724	RUNDLL32.EXE	powershell.exe
PID 3724 wrote to memory of 3624	3724	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1648	3624	powershell.exe	nslookup.exe
PID 3624 wrote to memory of 1648	3624	powershell.exe	nslookup.exe
PID 3624 wrote to memory of 1648	3624	powershell.exe	nslookup.exe
PID 3724 wrote to memory of 2196	3724	RUNDLL32.EXE	schtasks.exe
PID 3724 wrote to memory of 2196	3724	RUNDLL32.EXE	schtasks.exe
PID 3724 wrote to memory of 2196	3724	RUNDLL32.EXE	schtasks.exe
PID 3724 wrote to memory of 3360	3724	RUNDLL32.EXE	schtasks.exe
PID 3724 wrote to memory of 3360	3724	RUNDLL32.EXE	schtasks.exe
PID 3724 wrote to memory of 3360	3724	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\intercom.exe
"C:\Users\Admin\AppData\Local\Temp\intercom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\INTERC~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\intercom.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\INTERC~1.DLL,bToz
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC7F9.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDB06.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2196

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8f262209d1b7519ad28a899ed1b56e5

SHA1
fa7855c2171a0b7d5cd15ce07068c1710fa99d5a

SHA256
77d079cfb4e108be2dda79fb8bdeba46bb6106d9b6d06a3f75eed1511c45a6c7

SHA512
8adbec8d245b2958965c786e1864a9ee4e051d80ca00162a3007c45839a8418f463e8410f96e3d4d766d70f9b5ad4a91bcd87efc29b6947d7a8af42c9191ccb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\INTERC~1.DLL
MD5
82eaab4e6934b0a8237dd99523278a90

SHA1
b7cb11d9c4b7f4c6c78d0bd7d1b9a83b0cf48a56

SHA256
b600561d324a9fd217ee288a99a29aa638ecf11e7163c37ccd8794bb098e518d

SHA512
028d5ec2b334c3d6a91391f7c0f61e6565fa142171246a0f92af1a23e19c8c8e4beab12385d3d3fef29318828de7393c6151a057e98ec888e2a3639897643d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7F9.tmp.ps1
MD5
55c60b81a3c590b06edcd441ab7d7b7c

SHA1
e7631cd283967e8374f9bac2b87b1903f3a0438b

SHA256
aa5dd4b025d07e7eeea8fa4f1a802fa900e66399f75eb52155e7774596044ef4

SHA512
8ccb4f6c142633274c9604d37a40efb004b5a52bcb19d987c9da612337a09f10cbd600253a84ce45a8b2222a0c5a9e3cca38276d20691d17a586440af04d7827

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7FA.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB06.tmp.ps1
MD5
bdd5ded237b26595fa1d53f9c428cecd

SHA1
b136eccc4b9384876105578d4976ceebb6818039

SHA256
04836af6a35a385f28d6ad9d69ac1475c83bf56cb621f5203076077428ba8072

SHA512
9fd4173e91989e99b63c5fe402517ff01e8a8929743c8d8aeb21365329ca16341260d95fbb5d7569dacba9b3fca3c4d3609b2efdad9cefc28a79e30ca8d12b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB07.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\INTERC~1.DLL
MD5
82eaab4e6934b0a8237dd99523278a90

SHA1
b7cb11d9c4b7f4c6c78d0bd7d1b9a83b0cf48a56

SHA256
b600561d324a9fd217ee288a99a29aa638ecf11e7163c37ccd8794bb098e518d

SHA512
028d5ec2b334c3d6a91391f7c0f61e6565fa142171246a0f92af1a23e19c8c8e4beab12385d3d3fef29318828de7393c6151a057e98ec888e2a3639897643d47

Download Submit
\Users\Admin\AppData\Local\Temp\INTERC~1.DLL
MD5
82eaab4e6934b0a8237dd99523278a90

SHA1
b7cb11d9c4b7f4c6c78d0bd7d1b9a83b0cf48a56

SHA256
b600561d324a9fd217ee288a99a29aa638ecf11e7163c37ccd8794bb098e518d

SHA512
028d5ec2b334c3d6a91391f7c0f61e6565fa142171246a0f92af1a23e19c8c8e4beab12385d3d3fef29318828de7393c6151a057e98ec888e2a3639897643d47

Download Submit
\Users\Admin\AppData\Local\Temp\INTERC~1.DLL
MD5
82eaab4e6934b0a8237dd99523278a90

SHA1
b7cb11d9c4b7f4c6c78d0bd7d1b9a83b0cf48a56

SHA256
b600561d324a9fd217ee288a99a29aa638ecf11e7163c37ccd8794bb098e518d

SHA512
028d5ec2b334c3d6a91391f7c0f61e6565fa142171246a0f92af1a23e19c8c8e4beab12385d3d3fef29318828de7393c6151a057e98ec888e2a3639897643d47

Download Submit
memory/1648-179-0x0000000000000000-mapping.dmp

Download
memory/2196-182-0x0000000000000000-mapping.dmp

Download
memory/2804-117-0x0000000000000000-mapping.dmp

Download
memory/2804-127-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2804-120-0x00000000052A1000-0x0000000005900000-memory.dmp

Filesize
6.4MB

Download
memory/3360-184-0x0000000000000000-mapping.dmp

Download
memory/3508-140-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/3508-152-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3508-135-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3508-136-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/3508-137-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3508-138-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3508-139-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3508-155-0x0000000004823000-0x0000000004824000-memory.dmp

Filesize
4KB

Download
memory/3508-141-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/3508-142-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/3508-143-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/3508-133-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/3508-145-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/3508-150-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/3508-151-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/3508-134-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/3508-130-0x0000000000000000-mapping.dmp

Download
memory/3540-115-0x0000000000400000-0x000000000314A000-memory.dmp

Filesize
45.3MB

Download
memory/3540-114-0x0000000005410000-0x0000000005B05000-memory.dmp

Filesize
7.0MB

Download
memory/3540-116-0x00000000031C0000-0x000000000326E000-memory.dmp

Filesize
696KB

Download
memory/3624-156-0x0000000000000000-mapping.dmp

Download
memory/3624-164-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/3624-167-0x0000000007D10000-0x0000000007D11000-memory.dmp

Filesize
4KB

Download
memory/3624-169-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/3624-170-0x00000000068E2000-0x00000000068E3000-memory.dmp

Filesize
4KB

Download
memory/3624-183-0x00000000068E3000-0x00000000068E4000-memory.dmp

Filesize
4KB

Download
memory/3724-129-0x00000000050C1000-0x0000000005720000-memory.dmp

Filesize
6.4MB

Download
memory/3724-123-0x0000000000000000-mapping.dmp

Download
memory/3724-126-0x0000000004430000-0x00000000049EA000-memory.dmp

Filesize
5.7MB

Download
memory/3724-128-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3724-168-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download