danabot | 8884c731201c65b7db739e95839374b509ac0cd4a2b18b7075864f56d13c9bd7

Analysis

max time kernel
135s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cvhost.exe
Size

6.1MB
MD5

51209196cdca1e7988eac671f69a58a4
SHA1

eabe5ca552932cd3d94e95eaacc3449722cadae6
SHA256

8884c731201c65b7db739e95839374b509ac0cd4a2b18b7075864f56d13c9bd7
SHA512

3203aa4427fdc1fc56d6cb69537fb92dc1100871f069a034b07a085227690a217d8ff780b236461f9f006dcd507505e9249ef00c6da8915aa4bc1cf0406f03c8

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.180:443

192.236.147.83:443

184.95.51.175:443

184.95.51.183:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

RUNDLL32.EXE

flow pid process

10 2648 RUNDLL32.EXE
22 2648 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

3756 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3756 rundll32.exe
2648 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
10	2648	RUNDLL32.EXE
22	2648	RUNDLL32.EXE

pid	process
3756	rundll32.exe

pid	process
3756	rundll32.exe
2648	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
2648	RUNDLL32.EXE
2648	RUNDLL32.EXE
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3756	rundll32.exe
Token: SeDebugPrivilege	2648	RUNDLL32.EXE
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2648 RUNDLL32.EXE

pid	process
2648	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cvhost.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 472 wrote to memory of 3756	472	cvhost.exe	rundll32.exe
PID 472 wrote to memory of 3756	472	cvhost.exe	rundll32.exe
PID 472 wrote to memory of 3756	472	cvhost.exe	rundll32.exe
PID 3756 wrote to memory of 2648	3756	rundll32.exe	RUNDLL32.EXE
PID 3756 wrote to memory of 2648	3756	rundll32.exe	RUNDLL32.EXE
PID 3756 wrote to memory of 2648	3756	rundll32.exe	RUNDLL32.EXE
PID 2648 wrote to memory of 2052	2648	RUNDLL32.EXE	powershell.exe
PID 2648 wrote to memory of 2052	2648	RUNDLL32.EXE	powershell.exe
PID 2648 wrote to memory of 2052	2648	RUNDLL32.EXE	powershell.exe
PID 2648 wrote to memory of 2164	2648	RUNDLL32.EXE	powershell.exe
PID 2648 wrote to memory of 2164	2648	RUNDLL32.EXE	powershell.exe
PID 2648 wrote to memory of 2164	2648	RUNDLL32.EXE	powershell.exe
PID 2164 wrote to memory of 3592	2164	powershell.exe	nslookup.exe
PID 2164 wrote to memory of 3592	2164	powershell.exe	nslookup.exe
PID 2164 wrote to memory of 3592	2164	powershell.exe	nslookup.exe
PID 2648 wrote to memory of 3152	2648	RUNDLL32.EXE	schtasks.exe
PID 2648 wrote to memory of 3152	2648	RUNDLL32.EXE	schtasks.exe
PID 2648 wrote to memory of 3152	2648	RUNDLL32.EXE	schtasks.exe
PID 2648 wrote to memory of 2268	2648	RUNDLL32.EXE	schtasks.exe
PID 2648 wrote to memory of 2268	2648	RUNDLL32.EXE	schtasks.exe
PID 2648 wrote to memory of 2268	2648	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cvhost.exe
"C:\Users\Admin\AppData\Local\Temp\cvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\cvhost.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL,JAMh
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1F5.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3C8F.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3592

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f8b4e9f5297a3568078d0fc8a5ae8fa

SHA1
22a27f1eed397982db0cc12669657edd7c07dfd8

SHA256
119a24bb27340c08c416ca98b7e069fb0d4ee345efe6c8ca67c0f919edf21834

SHA512
9fa5de22f5642e3f71251f5c3f4f7a5b8a2fd500e0bd99670345cee95ea7ca70a4e7b5e452047cff499c6fe6665610896d90f2cae74898a7f1348aea210a8ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL
MD5
dd48fbaee3fa2b53707df0a329f63213

SHA1
ff95cb081070d8f67faf399cec209f62c2d1c1eb

SHA256
92204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24

SHA512
5a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F5.tmp.ps1
MD5
3bb6319b257b49ec7d46157e7a995a9b

SHA1
9dec2ff5eaa257ba6f3e598a6bc97b870f572e4f

SHA256
627f9b72696cd43a18f073c6ae71dd612e6ad199e0ca45483f3a79d2b9e7200f

SHA512
ce48d6041f2a68cc8aa0dd1dac3184de007fc126edb9d033c498b713352a28e4c03525873c588e9dd0caaf55c15337f9851ed2b2b43ff7d293b2b9353ac7404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F6.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C8F.tmp.ps1
MD5
ae6a11f8101b614c178c15b9a4a23ff2

SHA1
021aeb95fc772e8462a597e7fde45ffec6ecc459

SHA256
2bebc35de99c55f21d84b6e52e3628bb54609a9bb963fef5c3381be9805fad6c

SHA512
d5fa6486ce5aa803be54ee9132f5571ab09ddebddb29877c4673783c64a02062904c7359b2ce8b936053d030d43d525a8cf13243c52677af48536639d3e5a7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C9F.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL
MD5
dd48fbaee3fa2b53707df0a329f63213

SHA1
ff95cb081070d8f67faf399cec209f62c2d1c1eb

SHA256
92204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24

SHA512
5a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973

Download Submit
\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL
MD5
dd48fbaee3fa2b53707df0a329f63213

SHA1
ff95cb081070d8f67faf399cec209f62c2d1c1eb

SHA256
92204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24

SHA512
5a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973

Download Submit
memory/472-115-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/472-116-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/472-114-0x0000000002EA0000-0x00000000035A6000-memory.dmp

Filesize
7.0MB

Download
memory/2052-129-0x0000000000000000-mapping.dmp

Download
memory/2052-151-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/2052-134-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2052-135-0x00000000042F2000-0x00000000042F3000-memory.dmp

Filesize
4KB

Download
memory/2052-136-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/2052-137-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2052-138-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/2052-139-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/2052-140-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/2052-141-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/2052-142-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/2052-132-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2052-144-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/2052-149-0x00000000095D0000-0x00000000095D1000-memory.dmp

Filesize
4KB

Download
memory/2052-150-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download
memory/2052-133-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/2052-154-0x00000000042F3000-0x00000000042F4000-memory.dmp

Filesize
4KB

Download
memory/2164-167-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/2164-182-0x00000000069F3000-0x00000000069F4000-memory.dmp

Filesize
4KB

Download
memory/2164-164-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/2164-155-0x0000000000000000-mapping.dmp

Download
memory/2164-169-0x00000000069F2000-0x00000000069F3000-memory.dmp

Filesize
4KB

Download
memory/2164-170-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/2268-184-0x0000000000000000-mapping.dmp

Download
memory/2648-127-0x0000000005161000-0x00000000057C0000-memory.dmp

Filesize
6.4MB

Download
memory/2648-166-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/2648-122-0x0000000000000000-mapping.dmp

Download
memory/3152-183-0x0000000000000000-mapping.dmp

Download
memory/3592-179-0x0000000000000000-mapping.dmp

Download
memory/3756-117-0x0000000000000000-mapping.dmp

Download
memory/3756-128-0x0000000002EA0000-0x0000000002FEA000-memory.dmp

Filesize
1.3MB

Download
memory/3756-124-0x0000000004FF1000-0x0000000005650000-memory.dmp

Filesize
6.4MB

Download