danabot | 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323

General

Target

6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
Size

4.3MB
MD5

1111538ef73e921248d56f181c4fbdbf
SHA1

a9923340f8f24a8efde9ec0b7ca8d57de2bd2245
SHA256

6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323
SHA512

00426648bebed8fab7f511d1ec2e5266cf0645c040274654ae396ffdefd94de48c44609f2d312159447ed8ba7a3cfab69ba3210f8716e0edd1170d4e203d7a67

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

176.123.6.168:443

108.62.141.152:443

192.241.101.68:443

Attributes

embedded_hash
DE420A65BFC5F29167A85A5199065A0E
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

15 4800 RUNDLL32.EXE
23 4800 RUNDLL32.EXE
29 4800 RUNDLL32.EXE
32 4800 RUNDLL32.EXE
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2756 rundll32.exe
4800 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2756 rundll32.exe
Token: SeDebugPrivilege 4800 RUNDLL32.EXE

flow	pid	process
15	4800	RUNDLL32.EXE
23	4800	RUNDLL32.EXE
29	4800	RUNDLL32.EXE
32	4800	RUNDLL32.EXE

pid	process
2756	rundll32.exe
4800	RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2756	rundll32.exe
Token: SeDebugPrivilege	4800	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exerundll32.exe

description	pid	process	target process
PID 2112 wrote to memory of 2756	2112	6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe	rundll32.exe
PID 2112 wrote to memory of 2756	2112	6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe	rundll32.exe
PID 2112 wrote to memory of 2756	2112	6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe	rundll32.exe
PID 2756 wrote to memory of 4800	2756	rundll32.exe	RUNDLL32.EXE
PID 2756 wrote to memory of 4800	2756	rundll32.exe	RUNDLL32.EXE
PID 2756 wrote to memory of 4800	2756	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
"C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,QyQffDZ1A1A=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL
MD5
276adad6bea4d7bc2f37806c10bb5ef7

SHA1
26fad6ab56567053fba5e061b5d183341bf8b924

SHA256
ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579

SHA512
684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE.dll
MD5
276adad6bea4d7bc2f37806c10bb5ef7

SHA1
26fad6ab56567053fba5e061b5d183341bf8b924

SHA256
ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579

SHA512
684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE.dll
MD5
276adad6bea4d7bc2f37806c10bb5ef7

SHA1
26fad6ab56567053fba5e061b5d183341bf8b924

SHA256
ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579

SHA512
684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07

Download Submit
memory/2112-130-0x00000000069B0000-0x0000000006D7A000-memory.dmp

Filesize
3.8MB

Download
memory/2112-131-0x0000000006D80000-0x000000000715C000-memory.dmp

Filesize
3.9MB

Download
memory/2112-132-0x0000000000400000-0x0000000004B6C000-memory.dmp

Filesize
71.4MB

Download
memory/2756-135-0x0000000002F10000-0x000000000356F000-memory.dmp

Filesize
6.4MB

Download
memory/2756-136-0x0000000002F10000-0x000000000356F000-memory.dmp

Filesize
6.4MB

Download
memory/4800-140-0x0000000002F70000-0x00000000035CF000-memory.dmp

Filesize
6.4MB

Download
memory/4800-143-0x0000000002F70000-0x00000000035CF000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing