Overview

overview

10

Static

static

45196ed615...44.vbs

windows7_x64

10

45196ed615...44.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    4294209s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    25-03-2022 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45196ed615fd372c176cdf19f6482e0d5967da5d37758dbc14f356b9f23ab644.vbs

  • Size

    1.4MB

  • MD5

    3574832b577757bec0da9deae80b04df

  • SHA1

    d8148064a462543c6fc9a84534120c7fd2451599

  • SHA256

    45196ed615fd372c176cdf19f6482e0d5967da5d37758dbc14f356b9f23ab644

  • SHA512

    db755ea2edfb68389ac606a39ad7bcf6ffdd63d7d51af718216a849db03d11ca9fcf7b81d62f657e7e9a6f90f9f72adcc6c4b991cf9d4b5472fccff1eb1fa7e5

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

1.5.78.29

71.61.197.13

128.43.39.106

68.164.114.181

243.7.235.34

185.92.222.238

192.71.249.51

42.180.72.123

159.159.89.172

135.231.151.187
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 3 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45196ed615fd372c176cdf19f6482e0d5967da5d37758dbc14f356b9f23ab644.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System32\regsvr32.exe
      regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\\bxVLP.dlljYEdebHq
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\bxVLP.dlljYEdebHq
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bxVLP.dlljYEdebHq,f0
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bxVLP.dlljYEdebHq
    MD5

    78ad1f6983266579b20b1605dbdc63b4

    SHA1

    e11f91abb0ad60cc5d781da51339cf196c499da7

    SHA256

    9a99c355af51ff7b712487c8576afcb9dafd2e1b98e93036339243ec7edf05fa

    SHA512

    3509f26f26c88b31459e241078f076d28b6f434e37196f315f0776739bfa14b9bf9258a354b90b265516aea65244acdcb8a8885a4c4450a242c65dade9af5097

    Download Submit
  • \Users\Admin\AppData\Local\Temp\bxVLP.dlljYEdebHq
    MD5

    78ad1f6983266579b20b1605dbdc63b4

    SHA1

    e11f91abb0ad60cc5d781da51339cf196c499da7

    SHA256

    9a99c355af51ff7b712487c8576afcb9dafd2e1b98e93036339243ec7edf05fa

    SHA512

    3509f26f26c88b31459e241078f076d28b6f434e37196f315f0776739bfa14b9bf9258a354b90b265516aea65244acdcb8a8885a4c4450a242c65dade9af5097

    Download Submit
  • \Users\Admin\AppData\Local\Temp\bxVLP.dlljYEdebHq
    MD5

    78ad1f6983266579b20b1605dbdc63b4

    SHA1

    e11f91abb0ad60cc5d781da51339cf196c499da7

    SHA256

    9a99c355af51ff7b712487c8576afcb9dafd2e1b98e93036339243ec7edf05fa

    SHA512

    3509f26f26c88b31459e241078f076d28b6f434e37196f315f0776739bfa14b9bf9258a354b90b265516aea65244acdcb8a8885a4c4450a242c65dade9af5097

    Download Submit
  • memory/748-57-0x0000000000000000-mapping.dmp
    Download
  • memory/748-58-0x0000000074FF1000-0x0000000074FF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/748-60-0x0000000000240000-0x00000000002C0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/748-61-0x0000000000930000-0x0000000000931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1232-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1232-65-0x00000000006C0000-0x0000000000740000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1232-66-0x0000000000890000-0x0000000000891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1628-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-55-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp
    Filesize

    8KB

    Download