danabot | 95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85

Analysis

max time kernel
4294188s
max time network
121s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe
Size

3.9MB
MD5

cdb7cedd0d9adb7c036b49f4ff2eb5c4
SHA1

fc4a2c47085d30633bcd220d821455d333bee647
SHA256

95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85
SHA512

6bd6231e90097e0a5c0e8fa36175f9f7c5a6dd41f4e53ea6ae87ac3234bba8ee6b975c802c05228d4f09c7f0e04c43773f7814b8324529e58b9946b28a01c43c

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

23.106.123.249:443

51.195.73.129:443

167.114.188.38:443

23.226.132.92:443

Attributes

embedded_hash
E1D3580C52F82AF2B3596E20FB85D9F4
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

2 768 RUNDLL32.EXE
3 768 RUNDLL32.EXE
4 768 RUNDLL32.EXE
5 768 RUNDLL32.EXE
Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

876 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

876 rundll32.exe
876 rundll32.exe
876 rundll32.exe
876 rundll32.exe
768 RUNDLL32.EXE
768 RUNDLL32.EXE
768 RUNDLL32.EXE
768 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 876 rundll32.exe
Token: SeDebugPrivilege 768 RUNDLL32.EXE

flow	pid	process
2	768	RUNDLL32.EXE
3	768	RUNDLL32.EXE
4	768	RUNDLL32.EXE
5	768	RUNDLL32.EXE

pid	process
876	rundll32.exe

pid	process
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
768	RUNDLL32.EXE
768	RUNDLL32.EXE
768	RUNDLL32.EXE
768	RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	876	rundll32.exe
Token: SeDebugPrivilege	768	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exerundll32.exe

description	pid	process	target process
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 1108 wrote to memory of 876	1108	95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe	rundll32.exe
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE
PID 876 wrote to memory of 768	876	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe
"C:\Users\Admin\AppData\Local\Temp\95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\95C27D~1.EXE
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLL,IQsWjBzyAg==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
\Users\Admin\AppData\Local\Temp\95C27D~1.DLL
MD5
84089cd89e88deb295ef14f03796bba5

SHA1
03db542899d89cccd873143ab00cd43039318fbe

SHA256
f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77

SHA512
c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9

Download Submit
memory/768-69-0x0000000002030000-0x00000000023FB000-memory.dmp

Filesize
3.8MB

Download
memory/768-71-0x00000000026D0000-0x0000000002D2F000-memory.dmp

Filesize
6.4MB

Download
memory/768-72-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/768-73-0x00000000026D0000-0x0000000002D2F000-memory.dmp

Filesize
6.4MB

Download
memory/876-63-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/876-62-0x0000000002790000-0x0000000002DEF000-memory.dmp

Filesize
6.4MB

Download
memory/876-61-0x0000000001FF0000-0x00000000023BB000-memory.dmp

Filesize
3.8MB

Download
memory/876-70-0x0000000002790000-0x0000000002DEF000-memory.dmp

Filesize
6.4MB

Download
memory/1108-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download