danabot | 586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4

General

Target

586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe
Size

6.0MB
MD5

233d9fd5a7f914b37db9921758aec1eb
SHA1

903ffecd586cd71cd83d87bffb6384b6d87ec743
SHA256

586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4
SHA512

ab2b207ed84dc603f759200e174dfc8e6ef902adf64ba4fbbdd3b0f5a8cfc33f2ee621034d7a381a577b97fd9e9d52ffbea748795095b49ded2eb19f87c56631

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

23.254.225.170:443

193.34.167.88:443

23.106.123.185:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

9 508 RUNDLL32.EXE
14 508 RUNDLL32.EXE
15 508 RUNDLL32.EXE
16 508 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

3172 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3172 rundll32.exe
508 RUNDLL32.EXE
508 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 3172 rundll32.exe
Token: SeDebugPrivilege 508 RUNDLL32.EXE

flow	pid	process
9	508	RUNDLL32.EXE
14	508	RUNDLL32.EXE
15	508	RUNDLL32.EXE
16	508	RUNDLL32.EXE

pid	process
3172	rundll32.exe

pid	process
3172	rundll32.exe
508	RUNDLL32.EXE
508	RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	3172	rundll32.exe
Token: SeDebugPrivilege	508	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exerundll32.exe

description	pid	process	target process
PID 804 wrote to memory of 3172	804	586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe	rundll32.exe
PID 804 wrote to memory of 3172	804	586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe	rundll32.exe
PID 804 wrote to memory of 3172	804	586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe	rundll32.exe
PID 3172 wrote to memory of 508	3172	rundll32.exe	RUNDLL32.EXE
PID 3172 wrote to memory of 508	3172	rundll32.exe	RUNDLL32.EXE
PID 3172 wrote to memory of 508	3172	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe
"C:\Users\Admin\AppData\Local\Temp\586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\586B6B~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLL,NhAmLDa4BVQ=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLL
MD5
cd1fe6ca56034ce3d61c3cb3e96b93a4

SHA1
148f6714446c5372654cc23366cfb230cf1b8b9a

SHA256
ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f

SHA512
a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c

Download Submit
\Users\Admin\AppData\Local\Temp\586B6B~1.DLL
MD5
cd1fe6ca56034ce3d61c3cb3e96b93a4

SHA1
148f6714446c5372654cc23366cfb230cf1b8b9a

SHA256
ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f

SHA512
a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c

Download Submit
\Users\Admin\AppData\Local\Temp\586B6B~1.DLL
MD5
cd1fe6ca56034ce3d61c3cb3e96b93a4

SHA1
148f6714446c5372654cc23366cfb230cf1b8b9a

SHA256
ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f

SHA512
a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c

Download Submit
\Users\Admin\AppData\Local\Temp\586B6B~1.DLL
MD5
cd1fe6ca56034ce3d61c3cb3e96b93a4

SHA1
148f6714446c5372654cc23366cfb230cf1b8b9a

SHA256
ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f

SHA512
a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c

Download Submit
memory/508-122-0x0000000000000000-mapping.dmp

Download
memory/508-125-0x00000000048C0000-0x0000000004E79000-memory.dmp

Filesize
5.7MB

Download
memory/508-128-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/508-129-0x00000000054B1000-0x0000000005B0F000-memory.dmp

Filesize
6.4MB

Download
memory/804-114-0x0000000006840000-0x0000000006F35000-memory.dmp

Filesize
7.0MB

Download
memory/804-115-0x0000000000400000-0x0000000004359000-memory.dmp

Filesize
63.3MB

Download
memory/804-116-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/3172-117-0x0000000000000000-mapping.dmp

Download
memory/3172-126-0x0000000005401000-0x0000000005A5F000-memory.dmp

Filesize
6.4MB

Download
memory/3172-127-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing