danabot | baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3

Analysis

max time kernel
128s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
18-04-2021 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

klok.exe
Size

6.0MB
MD5

f8206a65ddbdaf77b5f8be6599081cff
SHA1

c9929afc9c726e69a3aaaebb1810a93877d99e69
SHA256

baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3
SHA512

ffedbbe897519d928586c1b09e9c7d4930ad6d98de36093d27f903c5b0572ddb10c065c3a05e13829cfe93932bb77f62812c3f99553c0a84f7a8a863f575deb6

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

23.106.123.185:443

192.210.198.12:443

23.254.225.170:443

23.106.123.141:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

11 2788 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

2732 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2732 rundll32.exe
2788 RUNDLL32.EXE
2788 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
11	2788	RUNDLL32.EXE

pid	process
2732	rundll32.exe

pid	process
2732	rundll32.exe
2788	RUNDLL32.EXE
2788	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1236 powershell.exe
1236 powershell.exe
1236 powershell.exe
2788 RUNDLL32.EXE
2788 RUNDLL32.EXE
208 powershell.exe
208 powershell.exe
208 powershell.exe

pid	process
1236	powershell.exe
1236	powershell.exe
1236	powershell.exe
2788	RUNDLL32.EXE
2788	RUNDLL32.EXE
208	powershell.exe
208	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2732	rundll32.exe
Token: SeDebugPrivilege	2788	RUNDLL32.EXE
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2788 RUNDLL32.EXE

pid	process
2788	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

klok.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3876 wrote to memory of 2732	3876	klok.exe	rundll32.exe
PID 3876 wrote to memory of 2732	3876	klok.exe	rundll32.exe
PID 3876 wrote to memory of 2732	3876	klok.exe	rundll32.exe
PID 2732 wrote to memory of 2788	2732	rundll32.exe	RUNDLL32.EXE
PID 2732 wrote to memory of 2788	2732	rundll32.exe	RUNDLL32.EXE
PID 2732 wrote to memory of 2788	2732	rundll32.exe	RUNDLL32.EXE
PID 2788 wrote to memory of 1236	2788	RUNDLL32.EXE	powershell.exe
PID 2788 wrote to memory of 1236	2788	RUNDLL32.EXE	powershell.exe
PID 2788 wrote to memory of 1236	2788	RUNDLL32.EXE	powershell.exe
PID 2788 wrote to memory of 208	2788	RUNDLL32.EXE	powershell.exe
PID 2788 wrote to memory of 208	2788	RUNDLL32.EXE	powershell.exe
PID 2788 wrote to memory of 208	2788	RUNDLL32.EXE	powershell.exe
PID 208 wrote to memory of 2280	208	powershell.exe	nslookup.exe
PID 208 wrote to memory of 2280	208	powershell.exe	nslookup.exe
PID 208 wrote to memory of 2280	208	powershell.exe	nslookup.exe
PID 2788 wrote to memory of 3128	2788	RUNDLL32.EXE	schtasks.exe
PID 2788 wrote to memory of 3128	2788	RUNDLL32.EXE	schtasks.exe
PID 2788 wrote to memory of 3128	2788	RUNDLL32.EXE	schtasks.exe
PID 2788 wrote to memory of 1552	2788	RUNDLL32.EXE	schtasks.exe
PID 2788 wrote to memory of 1552	2788	RUNDLL32.EXE	schtasks.exe
PID 2788 wrote to memory of 1552	2788	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\klok.exe
"C:\Users\Admin\AppData\Local\Temp\klok.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\klok.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,QhAyfI0=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3128

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
539fb631c37f16a58f066fca8d734f47

SHA1
54d7f6258bc85ad1229c198e1cfea8ae248ffab5

SHA256
3f3ef7c6e292aabbf6454ec96c87f8d548c11db5fc34d9b8e368a905e4b60bf4

SHA512
c767f0f70336f8da3f7e89f45e5ae23b656e79c5d78b3bbac3690e7228d5cb477eac9fbe3803fd61549ce3083c0b0a67015806c7ad7485ee31b2b8d5b141809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL
MD5
c82a4b861572d2434ab145431c3ce718

SHA1
3c53a19110c1d0e5bbabfb33d90830f3458bfd63

SHA256
ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

SHA512
c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1
MD5
43af04329596e11746589096ff125911

SHA1
d5a2c443657225095ddd32acd017cbbbf5f3325d

SHA256
b6d532d5f0bfb87f13ab270cff2af9cd60032f296971d71c483308fde9b8ffcb

SHA512
e72ad57e83ae351cbcae261bbeab31cead3a8538280e7fe583d8893a6dd9bb77e7cf942ffbded5ccff0780db391f7b7b7bf12edf9e3a32dd57c8f3eae7b14032

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1
MD5
1ac11ad0943bfa534b222aa96c878a9c

SHA1
10f120d023c892171a0d774cd030d8c59335d92e

SHA256
57e77ff2e3210c306b50a5e55a323fd616f10169cb2b5ad331e6bfd086bec682

SHA512
0163193d5acaa8ed891ce3b286608a5d055b67b757baf5040d26b432d635dbec108c428d8c293f0f750cf45e9db98e2db712558effbb55be7dbe3e7170eb6224

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92A4.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL
MD5
c82a4b861572d2434ab145431c3ce718

SHA1
3c53a19110c1d0e5bbabfb33d90830f3458bfd63

SHA256
ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

SHA512
c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

Download Submit
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL
MD5
c82a4b861572d2434ab145431c3ce718

SHA1
3c53a19110c1d0e5bbabfb33d90830f3458bfd63

SHA256
ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

SHA512
c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

Download Submit
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL
MD5
c82a4b861572d2434ab145431c3ce718

SHA1
3c53a19110c1d0e5bbabfb33d90830f3458bfd63

SHA256
ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

SHA512
c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

Download Submit
memory/208-168-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/208-170-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/208-165-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/208-172-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/208-156-0x0000000000000000-mapping.dmp

Download
memory/208-182-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

Filesize
4KB

Download
memory/1236-140-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/1236-133-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1236-136-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/1236-137-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/1236-138-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/1236-139-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/1236-130-0x0000000000000000-mapping.dmp

Download
memory/1236-141-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1236-142-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/1236-143-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1236-134-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/1236-145-0x00000000086D0000-0x00000000086D1000-memory.dmp

Filesize
4KB

Download
memory/1236-150-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/1236-151-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/1236-152-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/1236-135-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1236-155-0x0000000004A33000-0x0000000004A34000-memory.dmp

Filesize
4KB

Download
memory/1552-185-0x0000000000000000-mapping.dmp

Download
memory/2280-180-0x0000000000000000-mapping.dmp

Download
memory/2732-127-0x0000000000E30000-0x0000000000F7A000-memory.dmp

Filesize
1.3MB

Download
memory/2732-115-0x0000000000000000-mapping.dmp

Download
memory/2732-126-0x00000000050E1000-0x0000000005740000-memory.dmp

Filesize
6.4MB

Download
memory/2788-125-0x00000000044D0000-0x0000000004A8A000-memory.dmp

Filesize
5.7MB

Download
memory/2788-169-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2788-122-0x0000000000000000-mapping.dmp

Download
memory/2788-129-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2788-128-0x0000000004EE1000-0x0000000005540000-memory.dmp

Filesize
6.4MB

Download
memory/3128-184-0x0000000000000000-mapping.dmp

Download
memory/3876-117-0x0000000000B10000-0x0000000000BBE000-memory.dmp

Filesize
696KB

Download
memory/3876-116-0x0000000000400000-0x0000000000B01000-memory.dmp

Filesize
7.0MB

Download
memory/3876-114-0x00000000014E0000-0x0000000001BD6000-memory.dmp

Filesize
7.0MB

Download