danabot | 2bc053a51cfd99d4b6f19e3c6b4ce3cd9320fe0355c44f7afe24e4e84b6cff81

General

Target

CRA_INV_2019_235757679759/CRA_INV_2019_235757679759.vbs
Size

24.3MB
MD5

350e751bb68ade139e174d65008eebe0
SHA1

f235f388686573edd1475f337c9b5b34afd4b9e1
SHA256

d39e3c62fb0b70846240f3d73a3885d5024eebcc9e61fa77f5ebbb450fbf7620
SHA512

3b34c36fd8e2e9b83150cfe652bc34c615b0017174f35d4ba2513d63b73aa51ae75c928f7e6307bd29d9adeb3222cb6ba8f19c0feeab53d2cf2f66ca43394f47

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 4276 regsvr32.exe
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

32 4040 rundll32.exe
34 4040 rundll32.exe
35 4040 rundll32.exe
37 4040 rundll32.exe
38 4040 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3908 regsvr32.exe
3908 regsvr32.exe
4040 rundll32.exe
4040 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1620 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4276	regsvr32.exe

flow	pid	process
32	4040	rundll32.exe
34	4040	rundll32.exe
35	4040	rundll32.exe
37	4040	rundll32.exe
38	4040	rundll32.exe

pid	process
3908	regsvr32.exe
3908	regsvr32.exe
4040	rundll32.exe
4040	rundll32.exe

pid	process
1620	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4912 wrote to memory of 3908	4912	regsvr32.exe	regsvr32.exe
PID 4912 wrote to memory of 3908	4912	regsvr32.exe	regsvr32.exe
PID 4912 wrote to memory of 3908	4912	regsvr32.exe	regsvr32.exe
PID 3908 wrote to memory of 4040	3908	regsvr32.exe	rundll32.exe
PID 3908 wrote to memory of 4040	3908	regsvr32.exe	rundll32.exe
PID 3908 wrote to memory of 4040	3908	regsvr32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_235757679759\CRA_INV_2019_235757679759.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCnossAab.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
memory/3908-139-0x0000000002420000-0x0000000002E4A000-memory.dmp

Filesize
10.2MB

Download
memory/3908-137-0x0000000002420000-0x0000000002E4A000-memory.dmp

Filesize
10.2MB

Download
memory/3908-138-0x0000000002420000-0x000000000258A000-memory.dmp

Filesize
1.4MB

Download
memory/3908-136-0x0000000002420000-0x0000000002E4A000-memory.dmp

Filesize
10.2MB

Download
memory/3908-134-0x0000000002420000-0x0000000002E4A000-memory.dmp

Filesize
10.2MB

Download
memory/3908-131-0x0000000000000000-mapping.dmp

Download
memory/4040-142-0x0000000000000000-mapping.dmp

Download
memory/4040-145-0x0000000002CE0000-0x000000000370A000-memory.dmp

Filesize
10.2MB

Download
memory/4040-147-0x0000000002CE0000-0x000000000370A000-memory.dmp

Filesize
10.2MB

Download
memory/4040-148-0x0000000002CE0000-0x0000000002E4A000-memory.dmp

Filesize
1.4MB

Download
memory/4040-149-0x0000000002CE0000-0x000000000370A000-memory.dmp

Filesize
10.2MB

Download
memory/4040-152-0x0000000002CE0000-0x000000000370A000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing