danabot | c4ba15d516f167a6dbcba5de62b0adb3e6f928a9cf746e7eb1ed5eb8bc852db2

General

Target

C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
Size

4.4MB
MD5

2820526d4b78eb0f74e15f2755bf11a2
SHA1

282330102009652ba0a20de22617bf0cba352766
SHA256

c4ba15d516f167a6dbcba5de62b0adb3e6f928a9cf746e7eb1ed5eb8bc852db2
SHA512

fd0a9679cd82d5cb056d3dbd938877bf996bdee74bc8708f582e212d43305fdf75971cb1669e20d2f3c8e03be893f5c03b0b4577292b6a81486d1bb1e07fd44e

Score

10^/10

danabot 3 banker discovery spyware stealer suricata trojan upx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.106.122.10:443

193.34.167.163:443

192.236.192.241:443

192.236.192.238:443

Attributes

embedded_hash
CF4A570E177DE0D08BB5A391C595CBD7
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

4 3936 RUNDLL32.EXE
12 3936 RUNDLL32.EXE
17 3936 RUNDLL32.EXE
18 3936 RUNDLL32.EXE

flow	pid	process
4	3936	RUNDLL32.EXE
12	3936	RUNDLL32.EXE
17	3936	RUNDLL32.EXE
18	3936	RUNDLL32.EXE

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3536-130-0x0000000000400000-0x0000000005154000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

4560 rundll32.exe
4560 rundll32.exe
3936 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3924 3536 WerFault.exe C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 4560 rundll32.exe
Token: SeDebugPrivilege 3936 RUNDLL32.EXE

pid	process
4560	rundll32.exe
4560	rundll32.exe
3936	RUNDLL32.EXE

pid	pid_target	process	target process
3924	3536	WerFault.exe	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe

description	pid	process
Token: SeDebugPrivilege	4560	rundll32.exe
Token: SeDebugPrivilege	3936	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exerundll32.exe

description	pid	process	target process
PID 3536 wrote to memory of 4560	3536	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 3536 wrote to memory of 4560	3536	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 3536 wrote to memory of 4560	3536	C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe	rundll32.exe
PID 4560 wrote to memory of 3936	4560	rundll32.exe	RUNDLL32.EXE
PID 4560 wrote to memory of 3936	4560	rundll32.exe	RUNDLL32.EXE
PID 4560 wrote to memory of 3936	4560	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
"C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,Zg9XfDb6ADD7
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 388
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3536 -ip 3536
1⤵
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dll
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dll
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dll
Filesize
3.7MB

MD5
0564653f8803ae19550848a7ecdda706

SHA1
70b0f693dd490925e88a586e82bb61b8dd131348

SHA256
9eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840

SHA512
ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb

Download Submit
memory/3536-144-0x0000000007005000-0x00000000073CF000-memory.dmp

Filesize
3.8MB

Download
memory/3536-137-0x0000000000400000-0x0000000005154000-memory.dmp

Filesize
77.3MB

Download
memory/3536-131-0x00000000073D0000-0x00000000077AD000-memory.dmp

Filesize
3.9MB

Download
memory/3536-130-0x0000000000400000-0x0000000005154000-memory.dmp

Filesize
77.3MB

Download
memory/3536-147-0x0000000000400000-0x0000000005154000-memory.dmp

Filesize
77.3MB

Download
memory/3936-139-0x0000000000000000-mapping.dmp

Download
memory/3936-142-0x0000000003080000-0x00000000036DF000-memory.dmp

Filesize
6.4MB

Download
memory/3936-146-0x0000000003080000-0x00000000036DF000-memory.dmp

Filesize
6.4MB

Download
memory/3936-148-0x0000000003080000-0x00000000036DF000-memory.dmp

Filesize
6.4MB

Download
memory/4560-136-0x0000000002430000-0x00000000027FB000-memory.dmp

Filesize
3.8MB

Download
memory/4560-132-0x0000000000000000-mapping.dmp

Download
memory/4560-138-0x0000000002B40000-0x000000000319F000-memory.dmp

Filesize
6.4MB

Download
memory/4560-141-0x0000000002B40000-0x000000000319F000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing