danabot | 5f801d5aa6e0ffcf00c6d7489804be02c8fcede6be789d1c650f6f59ba1bfae0

General

Target

CRA_INV_2019_541101959306/CRA_INV_2019_541101959306.vbs
Size

23.7MB
MD5

611c2bf7aa7bb62e90f3a92f3682c0b5
SHA1

4a863046a56c0582ac43acabd7f465c725392799
SHA256

f74001bcf33072d683af2fcd20b1e0f1902b86a33898b37df1f364c31136a4ee
SHA512

24adbc4cf7ebed6ac6f5a9a08396d41af15f1d6586890d43be40dd6220f746bcd8ebf2d6bee4a8632a406842e8ece0afff4dfde2e58aabedd19ea15ee3984c60

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	5108	regsvr32.exe	31

Blocklisted process makes network request 5 IoCs

flow	pid	Process
55	4944	rundll32.exe
56	4944	rundll32.exe
58	4944	rundll32.exe
59	4944	rundll32.exe
60	4944	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1788	regsvr32.exe
1788	regsvr32.exe
4944	rundll32.exe
4944	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3156	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1788	4428	regsvr32.exe	89
PID 4428 wrote to memory of 1788	4428	regsvr32.exe	89
PID 4428 wrote to memory of 1788	4428	regsvr32.exe	89
PID 1788 wrote to memory of 4944	1788	regsvr32.exe	98
PID 1788 wrote to memory of 4944	1788	regsvr32.exe	98
PID 1788 wrote to memory of 4944	1788	regsvr32.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_541101959306\CRA_INV_2019_541101959306.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3156

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvNdiXKm.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
memory/1788-141-0x0000000002BE0000-0x000000000360A000-memory.dmp

Filesize
10.2MB

Download
memory/1788-137-0x0000000002BE0000-0x0000000002D4A000-memory.dmp

Filesize
1.4MB

Download
memory/1788-138-0x0000000002BE0000-0x000000000360A000-memory.dmp

Filesize
10.2MB

Download
memory/1788-136-0x0000000002BE0000-0x000000000360A000-memory.dmp

Filesize
10.2MB

Download
memory/1788-134-0x0000000002BE0000-0x000000000360A000-memory.dmp

Filesize
10.2MB

Download
memory/4944-145-0x0000000002CF0000-0x000000000371A000-memory.dmp

Filesize
10.2MB

Download
memory/4944-147-0x0000000002CF0000-0x000000000371A000-memory.dmp

Filesize
10.2MB

Download
memory/4944-148-0x0000000002CF0000-0x0000000002E5A000-memory.dmp

Filesize
1.4MB

Download
memory/4944-149-0x0000000002CF0000-0x000000000371A000-memory.dmp

Filesize
10.2MB

Download
memory/4944-152-0x0000000002CF0000-0x000000000371A000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing