Analysis

  • max time kernel
    132s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-04-2021 17:27

General

  • Target

    70f39b918aa79601c5b9d17935559538.exe

  • Size

    5.9MB

  • MD5

    70f39b918aa79601c5b9d17935559538

  • SHA1

    6f705010574cfbfe78c93b0710f41d0587697ce5

  • SHA256

    0f237d9138bc4c7ed7b15f75a9690c25b6dbe90fd2f2a5f9b238d2b978d0e1f8

  • SHA512

    a92eae29fd10f247db4641411592f42874516f819052abf7c4727193b381baef479e0eccdc2f1df15ddcc658ff6d48f1d5f55baa4f3d36904c90c6d2a3e0d61d

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.210.198.12:443

23.106.123.185:443

192.236.147.83:443

23.106.123.141:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe
    "C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\70F39B~1.EXE
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,SxwvZA==
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL
    MD5

    64830f0126d8c55806fb14757c5972ba

    SHA1

    a15d9828888e7581b85b493cb30b7336ded9742d

    SHA256

    a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341

    SHA512

    7879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e

  • \Users\Admin\AppData\Local\Temp\70F39B~1.DLL
    MD5

    64830f0126d8c55806fb14757c5972ba

    SHA1

    a15d9828888e7581b85b493cb30b7336ded9742d

    SHA256

    a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341

    SHA512

    7879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e

  • \Users\Admin\AppData\Local\Temp\70F39B~1.DLL
    MD5

    64830f0126d8c55806fb14757c5972ba

    SHA1

    a15d9828888e7581b85b493cb30b7336ded9742d

    SHA256

    a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341

    SHA512

    7879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e

  • \Users\Admin\AppData\Local\Temp\70F39B~1.DLL
    MD5

    64830f0126d8c55806fb14757c5972ba

    SHA1

    a15d9828888e7581b85b493cb30b7336ded9742d

    SHA256

    a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341

    SHA512

    7879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e

  • \Users\Admin\AppData\Local\Temp\70F39B~1.DLL
    MD5

    64830f0126d8c55806fb14757c5972ba

    SHA1

    a15d9828888e7581b85b493cb30b7336ded9742d

    SHA256

    a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341

    SHA512

    7879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e

  • memory/3300-122-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

  • memory/3300-117-0x0000000000000000-mapping.dmp
  • memory/3300-121-0x0000000004610000-0x0000000004BC9000-memory.dmp
    Filesize

    5.7MB

  • memory/3300-128-0x0000000004F11000-0x000000000556F000-memory.dmp
    Filesize

    6.4MB

  • memory/3300-129-0x0000000000750000-0x0000000000751000-memory.dmp
    Filesize

    4KB

  • memory/4184-123-0x0000000000000000-mapping.dmp
  • memory/4184-126-0x0000000000AD0000-0x0000000001089000-memory.dmp
    Filesize

    5.7MB

  • memory/4184-127-0x00000000011D0000-0x00000000011D1000-memory.dmp
    Filesize

    4KB

  • memory/4184-130-0x0000000004BD1000-0x000000000522F000-memory.dmp
    Filesize

    6.4MB

  • memory/4804-114-0x00000000035D0000-0x0000000003CC4000-memory.dmp
    Filesize

    7.0MB

  • memory/4804-116-0x0000000002D00000-0x0000000002D01000-memory.dmp
    Filesize

    4KB

  • memory/4804-115-0x0000000000400000-0x0000000000FCC000-memory.dmp
    Filesize

    11.8MB