danabot | 46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef

General

Target

46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe
Size

5.9MB
MD5

8ec9015238e53a37552979a18c514ccf
SHA1

235aead47f8dea471ef92bcb1ef6710399465566
SHA256

46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef
SHA512

809eb9a5367b530b4f47889535e14a8fd9e8a9e1c9bc719f914da387243cccf533a76e3b471633b3583cc491d199d4311c3c4f8cc627342a33537edfc010a271

Score

10^/10

danabot 3 banker discovery spyware stealer suricata trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

193.34.167.88:443

192.210.198.12:443

23.81.246.201:443

192.3.26.107:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

11 1124 RUNDLL32.EXE
28 1124 RUNDLL32.EXE
32 1124 RUNDLL32.EXE
35 1124 RUNDLL32.EXE
Loads dropped DLL 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

4984 rundll32.exe
4984 rundll32.exe
1124 RUNDLL32.EXE
1124 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

628 3396 WerFault.exe 46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 4984 rundll32.exe
Token: SeDebugPrivilege 1124 RUNDLL32.EXE

flow	pid	process
11	1124	RUNDLL32.EXE
28	1124	RUNDLL32.EXE
32	1124	RUNDLL32.EXE
35	1124	RUNDLL32.EXE

pid	process
4984	rundll32.exe
4984	rundll32.exe
1124	RUNDLL32.EXE
1124	RUNDLL32.EXE

pid	pid_target	process	target process
628	3396	WerFault.exe	46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe

description	pid	process
Token: SeDebugPrivilege	4984	rundll32.exe
Token: SeDebugPrivilege	1124	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exerundll32.exe

description	pid	process	target process
PID 3396 wrote to memory of 4984	3396	46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe	rundll32.exe
PID 3396 wrote to memory of 4984	3396	46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe	rundll32.exe
PID 3396 wrote to memory of 4984	3396	46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe	rundll32.exe
PID 4984 wrote to memory of 1124	4984	rundll32.exe	RUNDLL32.EXE
PID 4984 wrote to memory of 1124	4984	rundll32.exe	RUNDLL32.EXE
PID 4984 wrote to memory of 1124	4984	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe
"C:\Users\Admin\AppData\Local\Temp\46947cd767a758a93ea70820b806483cb86550f86d961705719b386d436e50ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46947C~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\46947C~1.EXE
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\46947C~1.DLL,DAAMfI0=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 676
2⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3396 -ip 3396
1⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46947C~1.DLL
Filesize
5.7MB

MD5
07ecd403f1e0b9e81a47d17645141689

SHA1
0bd93f3a401700aeef580573e74ed36ab83b5c90

SHA256
1be2574e619386b8c9e1e9172c8336a0dce30d33d465e1ffe6762068060d54b4

SHA512
27f64bd02a436dc1eaa54dc5202e27d971f0f256607ba2ac4a77d78551696d33cadcf1dc94ef4115030e0899ab2d3be2458548357261b2c6417d76f1d9039b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\46947C~1.EXE.dll
Filesize
5.7MB

MD5
07ecd403f1e0b9e81a47d17645141689

SHA1
0bd93f3a401700aeef580573e74ed36ab83b5c90

SHA256
1be2574e619386b8c9e1e9172c8336a0dce30d33d465e1ffe6762068060d54b4

SHA512
27f64bd02a436dc1eaa54dc5202e27d971f0f256607ba2ac4a77d78551696d33cadcf1dc94ef4115030e0899ab2d3be2458548357261b2c6417d76f1d9039b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\46947C~1.EXE.dll
Filesize
5.7MB

MD5
07ecd403f1e0b9e81a47d17645141689

SHA1
0bd93f3a401700aeef580573e74ed36ab83b5c90

SHA256
1be2574e619386b8c9e1e9172c8336a0dce30d33d465e1ffe6762068060d54b4

SHA512
27f64bd02a436dc1eaa54dc5202e27d971f0f256607ba2ac4a77d78551696d33cadcf1dc94ef4115030e0899ab2d3be2458548357261b2c6417d76f1d9039b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\46947C~1.EXE.dll
Filesize
5.7MB

MD5
07ecd403f1e0b9e81a47d17645141689

SHA1
0bd93f3a401700aeef580573e74ed36ab83b5c90

SHA256
1be2574e619386b8c9e1e9172c8336a0dce30d33d465e1ffe6762068060d54b4

SHA512
27f64bd02a436dc1eaa54dc5202e27d971f0f256607ba2ac4a77d78551696d33cadcf1dc94ef4115030e0899ab2d3be2458548357261b2c6417d76f1d9039b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\46947C~1.EXE.dll
Filesize
5.7MB

MD5
07ecd403f1e0b9e81a47d17645141689

SHA1
0bd93f3a401700aeef580573e74ed36ab83b5c90

SHA256
1be2574e619386b8c9e1e9172c8336a0dce30d33d465e1ffe6762068060d54b4

SHA512
27f64bd02a436dc1eaa54dc5202e27d971f0f256607ba2ac4a77d78551696d33cadcf1dc94ef4115030e0899ab2d3be2458548357261b2c6417d76f1d9039b51

Download Submit
memory/1124-144-0x0000000000000000-mapping.dmp

Download
memory/1124-147-0x0000000002270000-0x0000000002829000-memory.dmp

Filesize
5.7MB

Download
memory/1124-153-0x0000000002D70000-0x00000000033CF000-memory.dmp

Filesize
6.4MB

Download
memory/1124-151-0x0000000002D70000-0x00000000033CF000-memory.dmp

Filesize
6.4MB

Download
memory/1124-149-0x0000000002D70000-0x00000000033CF000-memory.dmp

Filesize
6.4MB

Download
memory/3396-131-0x0000000006750000-0x0000000006E45000-memory.dmp

Filesize
7.0MB

Download
memory/3396-132-0x0000000000400000-0x0000000004354000-memory.dmp

Filesize
63.3MB

Download
memory/3396-130-0x000000000618C000-0x0000000006747000-memory.dmp

Filesize
5.7MB

Download
memory/3396-150-0x0000000006750000-0x0000000006E45000-memory.dmp

Filesize
7.0MB

Download
memory/3396-152-0x0000000000400000-0x0000000004354000-memory.dmp

Filesize
63.3MB

Download
memory/4984-133-0x0000000000000000-mapping.dmp

Download
memory/4984-148-0x0000000003900000-0x0000000003F5F000-memory.dmp

Filesize
6.4MB

Download
memory/4984-143-0x0000000003900000-0x0000000003F5F000-memory.dmp

Filesize
6.4MB

Download
memory/4984-138-0x0000000003900000-0x0000000003F5F000-memory.dmp

Filesize
6.4MB

Download
memory/4984-137-0x0000000002C90000-0x0000000003249000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing