danabot | 734f6783c377c10fd6816563b4eaf0a0c1f5fd30d0ceb271d5df53eabf553a49

General

Target

SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe
Size

5.9MB
MD5

aa444cd99154f376edbbc9c3effa1f66
SHA1

3168456601e3aa7436ae521bb43d9af77171435d
SHA256

734f6783c377c10fd6816563b4eaf0a0c1f5fd30d0ceb271d5df53eabf553a49
SHA512

c259d41ce55bd50aae9b99f8f100c04ced6e484097fa6e664e086e7b39b48ac35388e901eb8d3c1e52e6259f0e08ec4f4a28915b29c7dc00669fa4e4af0dd576

Score

10^/10

danabot 3 banker discovery trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.236.147.83:443

23.106.123.141:443

192.210.198.12:443

23.254.225.170:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

1764 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1764 rundll32.exe
1764 rundll32.exe
1764 rundll32.exe
1764 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1764 rundll32.exe

pid	process
1764	rundll32.exe

pid	process
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1764	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exerundll32.exe

description	pid	process	target process
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1684 wrote to memory of 1764	1684	SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe	rundll32.exe
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE
PID 1764 wrote to memory of 1556	1764	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,QSsWjBwpA4z2
3⤵
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
1e21e3c8239fe112a29ce4c2d8f613da

SHA1
0836ca42f0a835d67808bab98f89692da5fe5849

SHA256
c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2

SHA512
a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
1e21e3c8239fe112a29ce4c2d8f613da

SHA1
0836ca42f0a835d67808bab98f89692da5fe5849

SHA256
c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2

SHA512
a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
1e21e3c8239fe112a29ce4c2d8f613da

SHA1
0836ca42f0a835d67808bab98f89692da5fe5849

SHA256
c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2

SHA512
a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
1e21e3c8239fe112a29ce4c2d8f613da

SHA1
0836ca42f0a835d67808bab98f89692da5fe5849

SHA256
c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2

SHA512
a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
MD5
1e21e3c8239fe112a29ce4c2d8f613da

SHA1
0836ca42f0a835d67808bab98f89692da5fe5849

SHA256
c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2

SHA512
a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a

Download Submit
memory/1556-73-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-62-0x0000000000400000-0x0000000004352000-memory.dmp

Filesize
63.3MB

Download
memory/1684-61-0x0000000006460000-0x0000000006B54000-memory.dmp

Filesize
7.0MB

Download
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x0000000002160000-0x0000000002719000-memory.dmp

Filesize
5.7MB

Download
memory/1764-72-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/1764-74-0x00000000029F1000-0x000000000304F000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing