danabot | c4ba15d516f167a6dbcba5de62b0adb3e6f928a9cf746e7eb1ed5eb8bc852db2

Analysis

max time kernel
128s
max time network
56s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
Size

4.4MB
MD5

2820526d4b78eb0f74e15f2755bf11a2
SHA1

282330102009652ba0a20de22617bf0cba352766
SHA256

c4ba15d516f167a6dbcba5de62b0adb3e6f928a9cf746e7eb1ed5eb8bc852db2
SHA512

fd0a9679cd82d5cb056d3dbd938877bf996bdee74bc8708f582e212d43305fdf75971cb1669e20d2f3c8e03be893f5c03b0b4577292b6a81486d1bb1e07fd44e

Score

10^/10

danabot 3 banker discovery spyware stealer suricata trojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

23.106.122.10:443

193.34.167.163:443

192.236.192.241:443

192.236.192.238:443

Attributes

embedded_hash
CF4A570E177DE0D08BB5A391C595CBD7
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

1 1784 RUNDLL32.EXE
2 1784 RUNDLL32.EXE
4 1784 RUNDLL32.EXE
5 1784 RUNDLL32.EXE
Loads dropped DLL 8 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1984 rundll32.exe
1984 rundll32.exe
1984 rundll32.exe
1984 rundll32.exe
1784 RUNDLL32.EXE
1784 RUNDLL32.EXE
1784 RUNDLL32.EXE
1784 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1984 rundll32.exe
Token: SeDebugPrivilege 1784 RUNDLL32.EXE

flow	pid	process
1	1784	RUNDLL32.EXE
2	1784	RUNDLL32.EXE
4	1784	RUNDLL32.EXE
5	1784	RUNDLL32.EXE

pid	process
1984	rundll32.exe
1984	rundll32.exe
1984	rundll32.exe
1984	rundll32.exe
1784	RUNDLL32.EXE
1784	RUNDLL32.EXE
1784	RUNDLL32.EXE
1784	RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	1984	rundll32.exe
Token: SeDebugPrivilege	1784	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exerundll32.exe

description	pid	process	target process
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1668 wrote to memory of 1984	1668	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE
PID 1984 wrote to memory of 1784	1984	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
"C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,WkIYjBzlAtA=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
memory/1668-54-0x0000000006BB0000-0x0000000006F7A000-memory.dmp

Filesize
3.8MB

Download
memory/1668-64-0x0000000006BB0000-0x0000000006F7A000-memory.dmp

Filesize
3.8MB

Download
memory/1668-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1668-65-0x0000000006F80000-0x000000000735D000-memory.dmp

Filesize
3.9MB

Download
memory/1668-66-0x0000000000400000-0x0000000005154000-memory.dmp

Filesize
77.3MB

Download
memory/1784-68-0x0000000000000000-mapping.dmp

Download
memory/1784-75-0x0000000002140000-0x000000000250B000-memory.dmp

Filesize
3.8MB

Download
memory/1784-76-0x0000000002920000-0x0000000002F7F000-memory.dmp

Filesize
6.4MB

Download
memory/1784-77-0x0000000002920000-0x0000000002F7F000-memory.dmp

Filesize
6.4MB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/1984-70-0x0000000002600000-0x0000000002C5F000-memory.dmp

Filesize
6.4MB

Download
memory/1984-67-0x0000000002600000-0x0000000002C5F000-memory.dmp

Filesize
6.4MB

Download
memory/1984-63-0x0000000001E60000-0x000000000222B000-memory.dmp

Filesize
3.8MB

Download