danabot | a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d

General

Target

b75e7348_by_Libranalysis.dll
Size

9.3MB
MD5

b75e734845e212357778571c255f90bb
SHA1

76228ef3173b003f0319cfc3a4e6ee9c51ace683
SHA256

a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d
SHA512

af098bc44e0ce89ae0c0d97f507b64a80bc77e2a8caeb91869e9c3ba8cf600e691510306b667be2b5002068c3c5d21ecb9d792876657550a0c9f720e069c6356

Score

10^/10

danabot 22 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

22

C2

198.211.116.98:443

165.227.38.61:443

8.208.9.104:443

134.209.237.20:443

Attributes

embedded_hash
F0CDE8332809AAECCF99C00772B539AB

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

12 3048 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
12	3048	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
3048	RUNDLL32.EXE
3048	RUNDLL32.EXE
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regsvr32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3992	regsvr32.exe
Token: SeDebugPrivilege	3048	RUNDLL32.EXE
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3048 RUNDLL32.EXE

pid	process
3048	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

regsvr32.exeregsvr32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 636 wrote to memory of 3992	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 3992	636	regsvr32.exe	regsvr32.exe
PID 636 wrote to memory of 3992	636	regsvr32.exe	regsvr32.exe
PID 3992 wrote to memory of 3048	3992	regsvr32.exe	RUNDLL32.EXE
PID 3992 wrote to memory of 3048	3992	regsvr32.exe	RUNDLL32.EXE
PID 3992 wrote to memory of 3048	3992	regsvr32.exe	RUNDLL32.EXE
PID 3048 wrote to memory of 2064	3048	RUNDLL32.EXE	powershell.exe
PID 3048 wrote to memory of 2064	3048	RUNDLL32.EXE	powershell.exe
PID 3048 wrote to memory of 2064	3048	RUNDLL32.EXE	powershell.exe
PID 3048 wrote to memory of 2260	3048	RUNDLL32.EXE	powershell.exe
PID 3048 wrote to memory of 2260	3048	RUNDLL32.EXE	powershell.exe
PID 3048 wrote to memory of 2260	3048	RUNDLL32.EXE	powershell.exe
PID 2260 wrote to memory of 2152	2260	powershell.exe	nslookup.exe
PID 2260 wrote to memory of 2152	2260	powershell.exe	nslookup.exe
PID 2260 wrote to memory of 2152	2260	powershell.exe	nslookup.exe
PID 3048 wrote to memory of 2724	3048	RUNDLL32.EXE	schtasks.exe
PID 3048 wrote to memory of 2724	3048	RUNDLL32.EXE	schtasks.exe
PID 3048 wrote to memory of 2724	3048	RUNDLL32.EXE	schtasks.exe
PID 3048 wrote to memory of 624	3048	RUNDLL32.EXE	schtasks.exe
PID 3048 wrote to memory of 624	3048	RUNDLL32.EXE	schtasks.exe
PID 3048 wrote to memory of 624	3048	RUNDLL32.EXE	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b75e7348_by_Libranalysis.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b75e7348_by_Libranalysis.dll
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\b75e7348_by_Libranalysis.dll,ZiFFZI0=
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE8A0.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCD4.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2724

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d0f68d74d0436eb8d0c561a078b0c80

SHA1
bac6317865479360296fbcc6cc8d290fc5714304

SHA256
835e7f9a608416ad6ef7b36185026b528d9ec36db373e4c4d59ef3d2986c6620

SHA512
ecff799167e5f9b96083976ded24957d7b9d99306a793ade32ecb1c78b4b46c913e88f638af7d495a41be81f6c19cae348dbdac143f0a0ee54a7b40c7934db5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD4.tmp.ps1
MD5
961a583faba768d0bac470ffdd5549da

SHA1
f55a85f9db6e9de13f778f59fe440a78b5725112

SHA256
11c247dad1ba169661609842c7b55e0bc55e354eef0b181531ee98840725342c

SHA512
717c073013da1dab1bfc7a501c03ea8e6b2591937dc62bbc33b58d0e0900129a78c0ec030533248cc18624f7436fbc8cb0fffe10cc380d9f1c1910efdfe8fa49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD5.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8A0.tmp.ps1
MD5
efc8572ed5a1f7a22bffa47f75db6d8e

SHA1
134a728671ef18863a2814767ebdd1eb54ce74be

SHA256
076727ceda8f0a37163787ba784a1450eaf36d3831d00362b14d06fcb13dd513

SHA512
0b878fa2c35e287240da8e760f0e4e962134fa383b56b51360b74df5aba3915f316e0daf908676249e3826aff643f7a6faebfa1e9d489df30bd5c8b74b2a71f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8A1.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
memory/624-179-0x0000000000000000-mapping.dmp

Download
memory/2064-136-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/2064-144-0x0000000009580000-0x0000000009581000-memory.dmp

Filesize
4KB

Download
memory/2064-149-0x00000000066C3000-0x00000000066C4000-memory.dmp

Filesize
4KB

Download
memory/2064-124-0x0000000000000000-mapping.dmp

Download
memory/2064-127-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/2064-128-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/2064-130-0x00000000066C2000-0x00000000066C3000-memory.dmp

Filesize
4KB

Download
memory/2064-129-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/2064-131-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/2064-132-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/2064-133-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/2064-134-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/2064-135-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/2064-146-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

Filesize
4KB

Download
memory/2064-137-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/2064-145-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/2064-139-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/2152-174-0x0000000000000000-mapping.dmp

Download
memory/2260-160-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/2260-177-0x00000000049B3000-0x00000000049B4000-memory.dmp

Filesize
4KB

Download
memory/2260-166-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/2260-150-0x0000000000000000-mapping.dmp

Download
memory/2260-165-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2260-163-0x00000000087C0000-0x00000000087C1000-memory.dmp

Filesize
4KB

Download
memory/2724-178-0x0000000000000000-mapping.dmp

Download
memory/3048-123-0x0000000006531000-0x0000000006B90000-memory.dmp

Filesize
6.4MB

Download
memory/3048-151-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3048-117-0x0000000000000000-mapping.dmp

Download
memory/3048-122-0x0000000004580000-0x0000000004EDA000-memory.dmp

Filesize
9.4MB

Download
memory/3048-120-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3048-121-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/3992-118-0x00000000060C1000-0x0000000006720000-memory.dmp

Filesize
6.4MB

Download
memory/3992-119-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3992-116-0x0000000004540000-0x0000000004E9A000-memory.dmp

Filesize
9.4MB

Download
memory/3992-114-0x0000000000000000-mapping.dmp

Download
memory/3992-115-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads