danabot | 66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a

General

Target

66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js
Size

1.4MB
MD5

58a4f4d720e37e8068e6ebf835f5e37c
SHA1

81b196c4175097a2bc639764e71454986060da66
SHA256

66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a
SHA512

737932aa10d7bdef164441348b21c9b041476ce111ef9ad820c666b03a949589c12baa8fe07ef6db9c0487f8300e765604b27f16abecc04a0a2bb847ca1cc7f6

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

209.182.218.222

185.227.109.40

185.136.165.128

161.129.65.197

217.182.56.71

254.55.37.53

228.175.167.154

56.38.135.17

168.127.65.186

185.181.8.49

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow pid process

2 820 rundll32.exe
3 820 rundll32.exe
4 820 rundll32.exe
5 820 rundll32.exe
6 820 rundll32.exe
7 820 rundll32.exe
10 820 rundll32.exe
13 820 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1488 regsvr32.exe
820 rundll32.exe
820 rundll32.exe
820 rundll32.exe
820 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
2	820	rundll32.exe
3	820	rundll32.exe
4	820	rundll32.exe
5	820	rundll32.exe
6	820	rundll32.exe
7	820	rundll32.exe
10	820	rundll32.exe
13	820	rundll32.exe

pid	process
1488	regsvr32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

wscript.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 316 wrote to memory of 564	316	wscript.exe	regsvr32.exe
PID 316 wrote to memory of 564	316	wscript.exe	regsvr32.exe
PID 316 wrote to memory of 564	316	wscript.exe	regsvr32.exe
PID 316 wrote to memory of 564	316	wscript.exe	regsvr32.exe
PID 316 wrote to memory of 564	316	wscript.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 1488	564	regsvr32.exe	regsvr32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe
PID 1488 wrote to memory of 820	1488	regsvr32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\lEDVIkQSVYhQAzRgNIlEfQ.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\\lEDVIkQSVYhQAzRgNIlEfQ.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll,f0
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll
MD5
edb09790e89ee476cfb7e66a1f7cad7b

SHA1
f25e69a0447936ec278808bdfb942a4e7125c46c

SHA256
0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

SHA512
ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Download Submit
memory/564-54-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/820-64-0x00000000002B0000-0x0000000000315000-memory.dmp

Filesize
404KB

Download
memory/1488-56-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing