danabot | a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d

General

Target

a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d.dll
Size

9.3MB
MD5

b75e734845e212357778571c255f90bb
SHA1

76228ef3173b003f0319cfc3a4e6ee9c51ace683
SHA256

a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d
SHA512

af098bc44e0ce89ae0c0d97f507b64a80bc77e2a8caeb91869e9c3ba8cf600e691510306b667be2b5002068c3c5d21ecb9d792876657550a0c9f720e069c6356

Score

10^/10

danabot 22 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

22

C2

198.211.116.98:443

165.227.38.61:443

8.208.9.104:443

134.209.237.20:443

Attributes

embedded_hash
F0CDE8332809AAECCF99C00772B539AB

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

RUNDLL32.EXE

flow pid process

13 2668 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
13	2668	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
2668	RUNDLL32.EXE
2668	RUNDLL32.EXE
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

regsvr32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2648	regsvr32.exe
Token: SeDebugPrivilege	2668	RUNDLL32.EXE
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2668 RUNDLL32.EXE

pid	process
2668	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

regsvr32.exeregsvr32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 604 wrote to memory of 2648	604	regsvr32.exe	regsvr32.exe
PID 604 wrote to memory of 2648	604	regsvr32.exe	regsvr32.exe
PID 604 wrote to memory of 2648	604	regsvr32.exe	regsvr32.exe
PID 2648 wrote to memory of 2668	2648	regsvr32.exe	RUNDLL32.EXE
PID 2648 wrote to memory of 2668	2648	regsvr32.exe	RUNDLL32.EXE
PID 2648 wrote to memory of 2668	2648	regsvr32.exe	RUNDLL32.EXE
PID 2668 wrote to memory of 3896	2668	RUNDLL32.EXE	powershell.exe
PID 2668 wrote to memory of 3896	2668	RUNDLL32.EXE	powershell.exe
PID 2668 wrote to memory of 3896	2668	RUNDLL32.EXE	powershell.exe
PID 2668 wrote to memory of 1292	2668	RUNDLL32.EXE	powershell.exe
PID 2668 wrote to memory of 1292	2668	RUNDLL32.EXE	powershell.exe
PID 2668 wrote to memory of 1292	2668	RUNDLL32.EXE	powershell.exe
PID 1292 wrote to memory of 1188	1292	powershell.exe	nslookup.exe
PID 1292 wrote to memory of 1188	1292	powershell.exe	nslookup.exe
PID 1292 wrote to memory of 1188	1292	powershell.exe	nslookup.exe
PID 2668 wrote to memory of 492	2668	RUNDLL32.EXE	schtasks.exe
PID 2668 wrote to memory of 492	2668	RUNDLL32.EXE	schtasks.exe
PID 2668 wrote to memory of 492	2668	RUNDLL32.EXE	schtasks.exe
PID 2668 wrote to memory of 1464	2668	RUNDLL32.EXE	schtasks.exe
PID 2668 wrote to memory of 1464	2668	RUNDLL32.EXE	schtasks.exe
PID 2668 wrote to memory of 1464	2668	RUNDLL32.EXE	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d.dll
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d.dll,TzcYLDa0Brw=
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9139.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB492.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:492

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6a7e68330963f0c7a151fb4263e47604

SHA1
b493014e4558981b2bb4637c2b9227ad1684ab92

SHA256
03a8b7d41bb531c50b59ed31694df40f14c5d79399898ae7c5df885ac71b81c4

SHA512
9c0ab0e60615cf7bf677638b7e2e7e968065eaeaa2a230273e18d22c351ac52eee4a8328fc7136c90a8b47674bcfaa465e2321a382a7e39d9b555142e55a47aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9139.tmp.ps1
MD5
b3ba7c08f0e9ce72485626109c840067

SHA1
a178052b8d118f7a674ab960e51643a1103c5f01

SHA256
8a63d009cad209ab541b3548f6d6c4a63f618e55b54b9c227bb9a0e38dcc6124

SHA512
a24a4d7fc8fe9f4d2957ce48df2ffe0fc303f9c8036bef2a71c679d6e170ef35679c8102a09785e3be90cd8698e837756f752d9dd216728d4353640c0b2bfbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp913A.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB492.tmp.ps1
MD5
ad3da293a4327e8a6c38d55cfcc4782a

SHA1
1fe837e4653e0cb93d1e65f16c419855a9efbf93

SHA256
4165208382c87605b46ac605b1554f0d91d67ec21cc44439eecd0d0a237144ef

SHA512
5836e0e72242263fe1e4c9d8e675f98d3327bf59adb02f5905a2e7bd833ad5b9e5b09ffeb82b2bf007982ba6a5ad0f70e08e3fae0f7fa276a060badd8ec108ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB493.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/492-181-0x0000000000000000-mapping.dmp

Download
memory/1188-178-0x0000000000000000-mapping.dmp

Download
memory/1292-167-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1292-164-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1292-154-0x0000000000000000-mapping.dmp

Download
memory/1292-168-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1292-182-0x0000000002743000-0x0000000002744000-memory.dmp

Filesize
4KB

Download
memory/1292-169-0x0000000002742000-0x0000000002743000-memory.dmp

Filesize
4KB

Download
memory/1464-183-0x0000000000000000-mapping.dmp

Download
memory/2648-119-0x0000000006301000-0x0000000006960000-memory.dmp

Filesize
6.4MB

Download
memory/2648-118-0x0000000003400000-0x000000000354A000-memory.dmp

Filesize
1.3MB

Download
memory/2648-116-0x0000000000400000-0x0000000000D5A000-memory.dmp

Filesize
9.4MB

Download
memory/2648-115-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2648-114-0x0000000000000000-mapping.dmp

Download
memory/2668-121-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/2668-120-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2668-125-0x0000000004820000-0x000000000517A000-memory.dmp

Filesize
9.4MB

Download
memory/2668-127-0x0000000006771000-0x0000000006DD0000-memory.dmp

Filesize
6.4MB

Download
memory/2668-117-0x0000000000000000-mapping.dmp

Download
memory/2668-155-0x0000000002DB0000-0x0000000002EFA000-memory.dmp

Filesize
1.3MB

Download
memory/3896-128-0x0000000000000000-mapping.dmp

Download
memory/3896-150-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3896-153-0x0000000006CA3000-0x0000000006CA4000-memory.dmp

Filesize
4KB

Download
memory/3896-149-0x0000000009140000-0x0000000009141000-memory.dmp

Filesize
4KB

Download
memory/3896-148-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/3896-143-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/3896-141-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/3896-140-0x0000000008520000-0x0000000008521000-memory.dmp

Filesize
4KB

Download
memory/3896-139-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3896-138-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/3896-137-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3896-136-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/3896-135-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/3896-133-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3896-134-0x0000000006CA2000-0x0000000006CA3000-memory.dmp

Filesize
4KB

Download
memory/3896-132-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/3896-131-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads