danabot | 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a

General

Target

3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe
Size

5.9MB
MD5

0345d4c916d2c9616725311f373a076d
SHA1

c89e3b9fb34f2a01883fa89b2fa9cc251a369cca
SHA256

3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a
SHA512

3ac77c8503a8128e434117b124809df04317fad58ecd91170a27cf69fa126f955eb9a93977eef0c00a3d1909e6c5f547a687ae8d36af0b3023a5304414902db3

Score

10^/10

danabot 3 banker discovery spyware stealer suricata trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.3.26.107:443

193.34.167.88:443

134.119.186.216:443

192.210.198.12:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

13 2352 RUNDLL32.EXE
14 2352 RUNDLL32.EXE
22 2352 RUNDLL32.EXE
29 2352 RUNDLL32.EXE
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2220 rundll32.exe
2352 RUNDLL32.EXE
2352 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1040 3856 WerFault.exe 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2220 rundll32.exe
Token: SeDebugPrivilege 2352 RUNDLL32.EXE

flow	pid	process
13	2352	RUNDLL32.EXE
14	2352	RUNDLL32.EXE
22	2352	RUNDLL32.EXE
29	2352	RUNDLL32.EXE

pid	process
2220	rundll32.exe
2352	RUNDLL32.EXE
2352	RUNDLL32.EXE

pid	pid_target	process	target process
1040	3856	WerFault.exe	3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe

description	pid	process
Token: SeDebugPrivilege	2220	rundll32.exe
Token: SeDebugPrivilege	2352	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exerundll32.exe

description	pid	process	target process
PID 3856 wrote to memory of 2220	3856	3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe	rundll32.exe
PID 3856 wrote to memory of 2220	3856	3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe	rundll32.exe
PID 3856 wrote to memory of 2220	3856	3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	RUNDLL32.EXE
PID 2220 wrote to memory of 2352	2220	rundll32.exe	RUNDLL32.EXE
PID 2220 wrote to memory of 2352	2220	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe
"C:\Users\Admin\AppData\Local\Temp\3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLL,Ywhb
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 508
2⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3856 -ip 3856
1⤵
PID:448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLL
Filesize
5.7MB

MD5
c9e2087ec59746669cb39f5b14e2eed3

SHA1
df33f8f05ea0625be4a38e5c128962e81958a360

SHA256
e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff

SHA512
ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726

Download Submit
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dll
Filesize
5.7MB

MD5
c9e2087ec59746669cb39f5b14e2eed3

SHA1
df33f8f05ea0625be4a38e5c128962e81958a360

SHA256
e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff

SHA512
ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726

Download Submit
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dll
Filesize
5.7MB

MD5
c9e2087ec59746669cb39f5b14e2eed3

SHA1
df33f8f05ea0625be4a38e5c128962e81958a360

SHA256
e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff

SHA512
ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726

Download Submit
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dll
Filesize
5.7MB

MD5
c9e2087ec59746669cb39f5b14e2eed3

SHA1
df33f8f05ea0625be4a38e5c128962e81958a360

SHA256
e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff

SHA512
ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726

Download Submit
memory/2220-136-0x0000000003260000-0x00000000038C0000-memory.dmp

Filesize
6.4MB

Download
memory/2220-133-0x0000000000000000-mapping.dmp

Download
memory/2220-143-0x0000000003260000-0x00000000038C0000-memory.dmp

Filesize
6.4MB

Download
memory/2352-139-0x0000000000000000-mapping.dmp

Download
memory/2352-142-0x0000000002750000-0x0000000002D0A000-memory.dmp

Filesize
5.7MB

Download
memory/2352-144-0x0000000003360000-0x00000000039C0000-memory.dmp

Filesize
6.4MB

Download
memory/2352-145-0x0000000003360000-0x00000000039C0000-memory.dmp

Filesize
6.4MB

Download
memory/2352-148-0x0000000003360000-0x00000000039C0000-memory.dmp

Filesize
6.4MB

Download
memory/3856-131-0x0000000002910000-0x0000000003005000-memory.dmp

Filesize
7.0MB

Download
memory/3856-130-0x0000000002348000-0x0000000002903000-memory.dmp

Filesize
5.7MB

Download
memory/3856-132-0x0000000000400000-0x0000000001D29000-memory.dmp

Filesize
25.2MB

Download
memory/3856-146-0x0000000002910000-0x0000000003005000-memory.dmp

Filesize
7.0MB

Download
memory/3856-147-0x0000000000400000-0x0000000001D29000-memory.dmp

Filesize
25.2MB

Download

Analysis

Sharing