danabot | 74b8b2e3d124aefc4463a3eef842502ea387de3d680c8ea3b4ea02f29fa34092

Analysis

max time kernel
129s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
01-06-2021 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loaded.bin.exe
Size

4.0MB
MD5

d685f70e0e276d44503a7a4db3f2b81e
SHA1

1d276eeb5d4e3a3cd8f5291927e98cd1e3fb7392
SHA256

74b8b2e3d124aefc4463a3eef842502ea387de3d680c8ea3b4ea02f29fa34092
SHA512

f4372a002cf8916d54f235e684dad637107e66d26849515fcfdabeb6cf526a562646298d67ae04264c42f7656c0a0be73253ee95eb9537ae8078c396b14266bd

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

192.236.192.241:443

134.119.186.199:443

172.93.201.39:443

104.168.156.222:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3628 created 3680 3628 WerFault.exe loaded.bin.exe
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

19 2752 RUNDLL32.EXE
20 2752 RUNDLL32.EXE
21 2752 RUNDLL32.EXE
22 2752 RUNDLL32.EXE
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2616 rundll32.exe
2616 rundll32.exe
2752 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3628 3680 WerFault.exe loaded.bin.exe

description	pid	process	target process
PID 3628 created 3680	3628	WerFault.exe	loaded.bin.exe

flow	pid	process
19	2752	RUNDLL32.EXE
20	2752	RUNDLL32.EXE
21	2752	RUNDLL32.EXE
22	2752	RUNDLL32.EXE

pid	process
2616	rundll32.exe
2616	rundll32.exe
2752	RUNDLL32.EXE

pid	pid_target	process	target process
3628	3680	WerFault.exe	loaded.bin.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

WerFault.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
2752	RUNDLL32.EXE
2752	RUNDLL32.EXE
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3628	WerFault.exe
Token: SeBackupPrivilege	3628	WerFault.exe
Token: SeDebugPrivilege	3628	WerFault.exe
Token: SeDebugPrivilege	2616	rundll32.exe
Token: SeDebugPrivilege	2752	RUNDLL32.EXE
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2752 RUNDLL32.EXE

pid	process
2752	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

loaded.bin.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3680 wrote to memory of 2616	3680	loaded.bin.exe	rundll32.exe
PID 3680 wrote to memory of 2616	3680	loaded.bin.exe	rundll32.exe
PID 3680 wrote to memory of 2616	3680	loaded.bin.exe	rundll32.exe
PID 2616 wrote to memory of 2752	2616	rundll32.exe	RUNDLL32.EXE
PID 2616 wrote to memory of 2752	2616	rundll32.exe	RUNDLL32.EXE
PID 2616 wrote to memory of 2752	2616	rundll32.exe	RUNDLL32.EXE
PID 2752 wrote to memory of 2104	2752	RUNDLL32.EXE	powershell.exe
PID 2752 wrote to memory of 2104	2752	RUNDLL32.EXE	powershell.exe
PID 2752 wrote to memory of 2104	2752	RUNDLL32.EXE	powershell.exe
PID 2752 wrote to memory of 1308	2752	RUNDLL32.EXE	powershell.exe
PID 2752 wrote to memory of 1308	2752	RUNDLL32.EXE	powershell.exe
PID 2752 wrote to memory of 1308	2752	RUNDLL32.EXE	powershell.exe
PID 1308 wrote to memory of 4036	1308	powershell.exe	nslookup.exe
PID 1308 wrote to memory of 4036	1308	powershell.exe	nslookup.exe
PID 1308 wrote to memory of 4036	1308	powershell.exe	nslookup.exe
PID 2752 wrote to memory of 1364	2752	RUNDLL32.EXE	schtasks.exe
PID 2752 wrote to memory of 1364	2752	RUNDLL32.EXE	schtasks.exe
PID 2752 wrote to memory of 1364	2752	RUNDLL32.EXE	schtasks.exe
PID 2752 wrote to memory of 1604	2752	RUNDLL32.EXE	schtasks.exe
PID 2752 wrote to memory of 1604	2752	RUNDLL32.EXE	schtasks.exe
PID 2752 wrote to memory of 1604	2752	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\loaded.bin.exe
"C:\Users\Admin\AppData\Local\Temp\loaded.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\LOADED~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\LOADED~1.EXE
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\LOADED~1.DLL,JAgcfI0=
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4423.tmp.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5878.tmp.ps1"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        5⤵
        
        PID:4036
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:1604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 540
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e5fe2ee21a7c3242a38dccae61b750cb

SHA1
6fd54b13efe61a98cd30e4c885d14c10735276ec

SHA256
586a48e0a0425ca1057d6b270d4c3fd441ef831f49407758ed7a91c94db13ec0

SHA512
d60ba63b2b8998cdba5c0b301752e389bfe0fd6c8e4a1469947279c484cc85e10c3a5f2577ea72b61031ac95e36a1575cd0c2fc5dbdbe230465335c2486da1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADED~1.DLL

MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4423.tmp.ps1

MD5
a92ef3ccd6f74ada6115c7363bb76270

SHA1
4cdf4beffc09ed961beba1321707724e5f89007e

SHA256
654be3f0a618980bcf5bfd8e42f2b6ad6f5ed2bbdd94a80953ee08351a6c4181

SHA512
d22a1620e93525967d585d25486367d830b10f4fd9b9fbd53dfc652b6ff097839749c926204eae0bcb78611e6141c3124073a7dcacf39b759178b0aaaee962ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4424.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5878.tmp.ps1

MD5
bb61fbe9dbdebd403baf7ff1267b2823

SHA1
052e0d8e12b7f17a080db664357edc67792f1b34

SHA256
e8e704e5f589df137e198df8990fc76facb8749c43b74307bb5514b7941aacd6

SHA512
77cf4ec0e0c3cf31f16875204b09d9a48076e775864c1d7504629269d4fe2d2c837a0b8f5bef75f228fd260086bcb21dc7d8d4f6c9bb38407905955ca41c2139

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5879.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\LOADED~1.DLL

MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
\Users\Admin\AppData\Local\Temp\LOADED~1.DLL

MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
\Users\Admin\AppData\Local\Temp\LOADED~1.DLL

MD5
aa9800a9bd0520591464786cf65e76a5

SHA1
c0f6df27ce0ea6888a08a913422546b7c3a815d9

SHA256
ba16eff206f2965a66540d1c4eb169267e26fbaad393224011fcd106ddbb0140

SHA512
b4edab2b916b5f0fd8d43099cba0a2bad495150fc33ad1ab54b7c855df41193205177f037ef5ad631de471b0be37f2618e8209b19a4200a9535da01b88f11219

Download Submit
memory/1308-176-0x0000000004682000-0x0000000004683000-memory.dmp

Filesize
4KB

Download
memory/1308-175-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1308-174-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/1308-171-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/1308-189-0x0000000004683000-0x0000000004684000-memory.dmp

Filesize
4KB

Download
memory/1308-162-0x0000000000000000-mapping.dmp

Download
memory/1364-188-0x0000000000000000-mapping.dmp

Download
memory/1604-190-0x0000000000000000-mapping.dmp

Download
memory/2104-148-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/2104-142-0x0000000004212000-0x0000000004213000-memory.dmp

Filesize
4KB

Download
memory/2104-146-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/2104-147-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/2104-136-0x0000000000000000-mapping.dmp

Download
memory/2104-149-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2104-144-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/2104-151-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/2104-156-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/2104-157-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/2104-158-0x0000000008D10000-0x0000000008D11000-memory.dmp

Filesize
4KB

Download
memory/2104-143-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/2104-161-0x0000000004213000-0x0000000004214000-memory.dmp

Filesize
4KB

Download
memory/2104-145-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/2104-141-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/2104-140-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/2104-139-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2616-114-0x0000000000000000-mapping.dmp

Download
memory/2616-128-0x0000000004931000-0x0000000004F92000-memory.dmp

Filesize
6.4MB

Download
memory/2616-121-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2616-118-0x0000000003FF0000-0x00000000043BD000-memory.dmp

Filesize
3.8MB

Download
memory/2752-135-0x0000000004F21000-0x0000000005582000-memory.dmp

Filesize
6.4MB

Download
memory/2752-126-0x0000000000000000-mapping.dmp

Download
memory/3680-120-0x0000000000400000-0x0000000000C96000-memory.dmp

Filesize
8.6MB

Download
memory/3680-119-0x0000000001440000-0x000000000181F000-memory.dmp

Filesize
3.9MB

Download
memory/4036-185-0x0000000000000000-mapping.dmp

Download