danabot | c38669f38d4b4f1e1d6881adfee332a4f5e8a1c62a630642100b340426e4e97a

Analysis

max time kernel
139s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
20-07-2021 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa036f4f21be4854f7bb2d7a3fc8cfb2.exe
Size

1.0MB
MD5

fa036f4f21be4854f7bb2d7a3fc8cfb2
SHA1

b56d0a5c39fd1e31b9c5307a12cd6f2abea61fd1
SHA256

c38669f38d4b4f1e1d6881adfee332a4f5e8a1c62a630642100b340426e4e97a
SHA512

bdaff5c113e0249d309816ae18cb20bf3bff2a7c713fdd1058b7e6755b27a2cef4b8acdbb9fe0e5bd595376e0e78eae4bfb282ecde3fd6138f7390cd8cd929e1

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

15 2812 rundll32.exe
16 736 RUNDLL32.EXE
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2812 rundll32.exe
736 RUNDLL32.EXE
736 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	2812	rundll32.exe
16	736	RUNDLL32.EXE

pid	process
2812	rundll32.exe
736	RUNDLL32.EXE
736	RUNDLL32.EXE

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3E7B4009AF531F5D17862073B23D42494BCC2C1F	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3E7B4009AF531F5D17862073B23D42494BCC2C1F\Blob = 0300000001000000140000003e7b4009af531f5d17862073b23d42494bcc2c1f20000000010000009902000030820295308201fea0030201020208355453bd7f2afc28300d06092a864886f70d01010b050030653137303506035504030c2e5379326d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3139303732313135313130315a170d3233303732303135313130315a30653137303506035504030c2e5379326d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d00308189028181009fc12c2fc36726dd5b8d07fddc6d98fbc16c380b836888b729066aa267c30dfb8f5fe2c3896591572c2c53ba3306c4f1a238c96dfced20b870a6ed32063a5e73d6dc50cefcda3ff830c0c859e8784beeea4fd3dcd66ddd3a25f3f617f02f342b97171144033dff8a079457a3afe33dae2f4e7a1c3db4139dff0372a4e935a6d70203010001a34e304c300f0603551d130101ff040530030101ff30390603551d1104323030822e5379326d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b050003818100676d42f0f1cb851ecbdfc98ea59c9365091bd2321491986865ec57dfc04413472004d13e15a77c1e7ae7e8c68b92145558e1ad41857ebdb6dd767de865cdf96fb7cca2fe4aa443035049bbc20c00d73c5d9050cd7bbcb51cd6318cd864cecc4996705155168969600138cff652753647571de6f39dc4e762677091cef8a36ba5	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
736	RUNDLL32.EXE
736	RUNDLL32.EXE
736	RUNDLL32.EXE
736	RUNDLL32.EXE
736	RUNDLL32.EXE
736	RUNDLL32.EXE
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
736	RUNDLL32.EXE
736	RUNDLL32.EXE
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 736 RUNDLL32.EXE
Token: SeDebugPrivilege 1400 powershell.exe
Token: SeDebugPrivilege 3728 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

736 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	736	RUNDLL32.EXE
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fa036f4f21be4854f7bb2d7a3fc8cfb2.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 2192 wrote to memory of 2812	2192	fa036f4f21be4854f7bb2d7a3fc8cfb2.exe	rundll32.exe
PID 2192 wrote to memory of 2812	2192	fa036f4f21be4854f7bb2d7a3fc8cfb2.exe	rundll32.exe
PID 2192 wrote to memory of 2812	2192	fa036f4f21be4854f7bb2d7a3fc8cfb2.exe	rundll32.exe
PID 2812 wrote to memory of 736	2812	rundll32.exe	RUNDLL32.EXE
PID 2812 wrote to memory of 736	2812	rundll32.exe	RUNDLL32.EXE
PID 2812 wrote to memory of 736	2812	rundll32.exe	RUNDLL32.EXE
PID 736 wrote to memory of 1400	736	RUNDLL32.EXE	powershell.exe
PID 736 wrote to memory of 1400	736	RUNDLL32.EXE	powershell.exe
PID 736 wrote to memory of 1400	736	RUNDLL32.EXE	powershell.exe
PID 736 wrote to memory of 3728	736	RUNDLL32.EXE	powershell.exe
PID 736 wrote to memory of 3728	736	RUNDLL32.EXE	powershell.exe
PID 736 wrote to memory of 3728	736	RUNDLL32.EXE	powershell.exe
PID 3728 wrote to memory of 2404	3728	powershell.exe	nslookup.exe
PID 3728 wrote to memory of 2404	3728	powershell.exe	nslookup.exe
PID 3728 wrote to memory of 2404	3728	powershell.exe	nslookup.exe
PID 736 wrote to memory of 3176	736	RUNDLL32.EXE	schtasks.exe
PID 736 wrote to memory of 3176	736	RUNDLL32.EXE	schtasks.exe
PID 736 wrote to memory of 3176	736	RUNDLL32.EXE	schtasks.exe
PID 736 wrote to memory of 3952	736	RUNDLL32.EXE	schtasks.exe
PID 736 wrote to memory of 3952	736	RUNDLL32.EXE	schtasks.exe
PID 736 wrote to memory of 3952	736	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fa036f4f21be4854f7bb2d7a3fc8cfb2.exe
"C:\Users\Admin\AppData\Local\Temp\fa036f4f21be4854f7bb2d7a3fc8cfb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FA036F~1.TMP,S C:\Users\Admin\AppData\Local\Temp\FA036F~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\FA036F~1.TMP,HhMLaTUzUm1x
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6266.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
8303b2caddfa02d1e3bd7796fc8f36e0

SHA1
b1b02156710b146139620b5fb8bf90ab8a3de615

SHA256
b1228441b57de321998f4697c8d62dd7ad676e032b52a7539171f10dafe7765d

SHA512
09f16b9281154f91c68b3609fe4468786be41005b3ce3af6997f11b7610a73ef61b8168ff093a375cae439f5231f1708bc33b05a9d566bdf5c74a590681773df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c547e4ad588194b1329fd16ea5802d4f

SHA1
e8576f3b8fd45c7cd18a158b3bc571ed6c87e34a

SHA256
32c3a65aa9a5b8db28af6cb5d5c6f6ac69c755930fbe420ebf9bb1888aa0905f

SHA512
3f921ef2003c02f12e4b19d85454b2bc70125b9ab90bfcd7d90446a09adb1535622c9d6f8f5b1cf761a88649d8270afb1ee42002674838a8d82d5cc8567ab73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA036F~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FD6.tmp.ps1
MD5
3fdc1fe112d34f31ec0557f4b72a9091

SHA1
03bed3703ce599a85d18a11cbe95a90c833631fd

SHA256
6327edf653a21066c753a896370e439b921428f657af582fce8b440016a101c5

SHA512
c1c6890c839c9525470c2c5668a41b0a21c15097238267f5ce1b03b091251750ca06537510c2a441fb508abc0054449181807477c07b6d91513be26893536b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FE7.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6266.tmp.ps1
MD5
e84411335305c93058140374599fcd4f

SHA1
60fbe01efd4546a1b3568d8e4afba00b02eb765c

SHA256
5c4f58fb5e40f07cff90d3fa371ab03510c7a8a3234b77fc61c5d7632067f9d7

SHA512
9dafa202eba8e44a6c0338084aa3134bee50b90d1dd1d0c31a86c41e0ed3dd4db9da9620c11ce423e4a2013515fc99002ccbbf26af5df1e087c1ba9ec21304ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6267.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\FA036F~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\FA036F~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\FA036F~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
memory/736-128-0x0000000004600000-0x000000000475C000-memory.dmp

Filesize
1.4MB

Download
memory/736-130-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/736-136-0x00000000047E0000-0x0000000005A76000-memory.dmp

Filesize
18.6MB

Download
memory/736-125-0x0000000000000000-mapping.dmp

Download
memory/1400-148-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/1400-140-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/1400-143-0x00000000044C2000-0x00000000044C3000-memory.dmp

Filesize
4KB

Download
memory/1400-144-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/1400-145-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/1400-146-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/1400-147-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/1400-137-0x0000000000000000-mapping.dmp

Download
memory/1400-149-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/1400-150-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/1400-141-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/1400-152-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/1400-157-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/1400-158-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/1400-159-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/1400-142-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/1400-163-0x00000000044C3000-0x00000000044C4000-memory.dmp

Filesize
4KB

Download
memory/2192-118-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2192-117-0x0000000000FC0000-0x00000000010BF000-memory.dmp

Filesize
1020KB

Download
memory/2404-186-0x0000000000000000-mapping.dmp

Download
memory/2812-135-0x00000000053C0000-0x0000000006656000-memory.dmp

Filesize
18.6MB

Download
memory/2812-114-0x0000000000000000-mapping.dmp

Download
memory/3176-189-0x0000000000000000-mapping.dmp

Download
memory/3728-175-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/3728-162-0x0000000000000000-mapping.dmp

Download
memory/3728-181-0x0000000006CF2000-0x0000000006CF3000-memory.dmp

Filesize
4KB

Download
memory/3728-180-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/3728-172-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/3728-190-0x0000000006CF3000-0x0000000006CF4000-memory.dmp

Filesize
4KB

Download
memory/3952-191-0x0000000000000000-mapping.dmp

Download