danabot | 1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd

Analysis

max time kernel
141s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f8f5be06bf789146526e520a66be571.exe
Size

1.2MB
MD5

7f8f5be06bf789146526e520a66be571
SHA1

629681e69d3759d2085aa2c037c8c6fca4045ea2
SHA256

1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
SHA512

4c396b8dadfd446f11b644ad33042e0c6fa19b418c02d744f4bda5409732b3b1601cc3bff191cb5a8a10f676672d0c662705420a1b4306f142a6a897a09210aa

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

15 2528 rundll32.exe
16 3868 RUNDLL32.EXE
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2528 rundll32.exe
3868 RUNDLL32.EXE
3868 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	2528	rundll32.exe
16	3868	RUNDLL32.EXE

pid	process
2528	rundll32.exe
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19DF2C00A65E58B316BA82DFF4876FCC1317C889	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19DF2C00A65E58B316BA82DFF4876FCC1317C889\Blob = 03000000010000001400000019df2c00a65e58b316ba82dff4876fcc1317c8892000000001000000ec020000308202e830820251a0030201020208240d102244f5d118300d06092a864886f70d01010b05003081863146304406035504030c3d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303732373036303535315a170d3233303732363036303535315a3081863146304406035504030c3d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100bb3f9380788b4d06c686475050833f790ef39150892a6f1323be722513690546854c7f5019ba297c7d4605ad1add30c2d337532b0fd33dde06c228e993fe90c3f0653975bd0a39237d2e5493a3081dd5c84bc151326dd663e18ea20012c750e047f346c798faf1eaadba1f0eadf9d60635e292003a8894ff4c4efc49a303fc290203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100077c5170fdbed13fd86535a1d51d2337dfb0cf5891a1dd8094bb1cb8b580a7db468db8a88e1e4357106258c0ebb8acff8c1858b9511325a3746a52b24d0f09b85e4b056b76750e8306ebb995f62abe59bd4e36b470c541273271a56bfe05af1b9df399b41a80fe0628431f7d81dbf37aa6ea95a520478cf8e5dc8149c7e2ce64	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
3868	RUNDLL32.EXE
3868	RUNDLL32.EXE
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3868 RUNDLL32.EXE
Token: SeDebugPrivilege 1804 powershell.exe
Token: SeDebugPrivilege 2152 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

3868 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	3868	RUNDLL32.EXE
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7f8f5be06bf789146526e520a66be571.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 3172 wrote to memory of 2528	3172	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe
PID 3172 wrote to memory of 2528	3172	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe
PID 3172 wrote to memory of 2528	3172	7f8f5be06bf789146526e520a66be571.exe	rundll32.exe
PID 2528 wrote to memory of 3868	2528	rundll32.exe	RUNDLL32.EXE
PID 2528 wrote to memory of 3868	2528	rundll32.exe	RUNDLL32.EXE
PID 2528 wrote to memory of 3868	2528	rundll32.exe	RUNDLL32.EXE
PID 3868 wrote to memory of 1804	3868	RUNDLL32.EXE	powershell.exe
PID 3868 wrote to memory of 1804	3868	RUNDLL32.EXE	powershell.exe
PID 3868 wrote to memory of 1804	3868	RUNDLL32.EXE	powershell.exe
PID 3868 wrote to memory of 2152	3868	RUNDLL32.EXE	powershell.exe
PID 3868 wrote to memory of 2152	3868	RUNDLL32.EXE	powershell.exe
PID 3868 wrote to memory of 2152	3868	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 2528	2152	powershell.exe	nslookup.exe
PID 2152 wrote to memory of 2528	2152	powershell.exe	nslookup.exe
PID 2152 wrote to memory of 2528	2152	powershell.exe	nslookup.exe
PID 3868 wrote to memory of 584	3868	RUNDLL32.EXE	schtasks.exe
PID 3868 wrote to memory of 584	3868	RUNDLL32.EXE	schtasks.exe
PID 3868 wrote to memory of 584	3868	RUNDLL32.EXE	schtasks.exe
PID 3868 wrote to memory of 1896	3868	RUNDLL32.EXE	schtasks.exe
PID 3868 wrote to memory of 1896	3868	RUNDLL32.EXE	schtasks.exe
PID 3868 wrote to memory of 1896	3868	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe
"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,PQE8c3Q3MQ==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5B13.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2528

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:584

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
17027d5d8b71d79882fa359c64d07164

SHA1
c7f47e13eed4c157c4d28307f20e071e61ade674

SHA256
c5f026643ecf48b458646a1c35b2058761ff3c2c1edd3dc945a80fcf6c66ad51

SHA512
4186d9e52500b3bf7131816c2d64f9333bbbaee30a58f4d6de89d94271bd54befb030dab1d78362d41912e028ed7802750ac6ee016242d673702d69e19cbdd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
88c4043684a8143055b7411ffc1584f0

SHA1
f760a4497022ed152bd536e5ee917696d3071a65

SHA256
51a7aa52b9ee561a85b75681f3f9d18bb89e22b872d426b8707f5675f172c2c0

SHA512
4d31fb36e96339e412df50a30cab26bc82dbc7eeb5b9f7919ac542cc2019f7a8beda3a305bef915428e37f26de3bc44ef39918ced2707c0077c6a5131512e672

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
MD5
5d31570b7ba4277cfb30dcf8952e76bb

SHA1
e623e0630f480327885182e7c3f7c5017cf045f9

SHA256
63a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095

SHA512
ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp.ps1
MD5
5e80536ca3f04550d3d9e98447816b98

SHA1
f0dbdc675a6995615060c7c4d166b94e72d062b8

SHA256
69f1416c75a0bfc4482a89f80215594d576b67c05000443807aedbcb9672cf62

SHA512
c67c50502c68aecd7d661ebdf71c9b1c6e75fdba56a7f13e6cad61f53d32d6e6836575236d3bc0db6d356107e9c81383af6702de0d6606c5e05bf5751e78e1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47A9.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B13.tmp.ps1
MD5
8a8384fc917c0d2567f9c0ecd2eea547

SHA1
188cd8b5fd0d5405e9e297f82d4cfa63a35ab7e2

SHA256
17e1ddd4d794000d414d81706200b8d234be4b6f62564247745763767ec39b2e

SHA512
7651d49197a18775c75d6db16f1bd16564a84ac029665a7723c22d83579f642e3e6df39f6129a37ad50b6671c301c798c82af9ee8fba505904c4790284571a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B14.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
MD5
5d31570b7ba4277cfb30dcf8952e76bb

SHA1
e623e0630f480327885182e7c3f7c5017cf045f9

SHA256
63a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095

SHA512
ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927

Download Submit
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
MD5
5d31570b7ba4277cfb30dcf8952e76bb

SHA1
e623e0630f480327885182e7c3f7c5017cf045f9

SHA256
63a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095

SHA512
ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927

Download Submit
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
MD5
5d31570b7ba4277cfb30dcf8952e76bb

SHA1
e623e0630f480327885182e7c3f7c5017cf045f9

SHA256
63a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095

SHA512
ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927

Download Submit
memory/584-196-0x0000000000000000-mapping.dmp

Download
memory/1804-148-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/1804-155-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/1804-144-0x0000000000000000-mapping.dmp

Download
memory/1804-149-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1804-151-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/1804-150-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/1804-152-0x0000000006B02000-0x0000000006B03000-memory.dmp

Filesize
4KB

Download
memory/1804-153-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/1804-154-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/1804-147-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/1804-156-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/1804-157-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/1804-177-0x0000000006B03000-0x0000000006B04000-memory.dmp

Filesize
4KB

Download
memory/1804-159-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/1804-164-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/1804-165-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/1804-166-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/1896-198-0x0000000000000000-mapping.dmp

Download
memory/2152-179-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2152-184-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/2152-197-0x0000000004733000-0x0000000004734000-memory.dmp

Filesize
4KB

Download
memory/2152-169-0x0000000000000000-mapping.dmp

Download
memory/2152-181-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/2152-180-0x0000000004732000-0x0000000004733000-memory.dmp

Filesize
4KB

Download
memory/2528-130-0x0000000004E00000-0x0000000006096000-memory.dmp

Filesize
18.6MB

Download
memory/2528-114-0x0000000000000000-mapping.dmp

Download
memory/2528-193-0x0000000000000000-mapping.dmp

Download
memory/3172-118-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/3172-117-0x0000000002330000-0x0000000002430000-memory.dmp

Filesize
1024KB

Download
memory/3868-128-0x0000000000B10000-0x0000000000C6E000-memory.dmp

Filesize
1.4MB

Download
memory/3868-125-0x0000000000000000-mapping.dmp

Download
memory/3868-133-0x00000000045A0000-0x0000000005836000-memory.dmp

Filesize
18.6MB

Download