Overview

overview

10

Static

static

dana.vbs

windows7-x64

10

dana.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2022 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dana.vbs

  • Size

    1.4MB

  • MD5

    a044c72c7f6f03fcacdd752412a03c1f

  • SHA1

    bc48611b299c90d14d2847ce201fea2bb15e9a08

  • SHA256

    6ac20d40a2425f1366ca2f69953f15c374b010d3738b4a430cb6f3935ef3c7c1

  • SHA512

    547a89a9ea81df9527b74cbb1715d32dfc74a9b43b9e107edaea2f686c8d4a3728360b57aaa7fdc461eb3addd6e82037e6ba44e61645adfb41d802972f2eb8e2

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

185.43.196.194

170.36.230.93

25.125.161.14

152.163.122.91

252.243.36.124

94.2.203.24

95.179.186.57

58.41.130.190

89.144.25.104

182.54.114.216
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 3 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dana.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\jMoOIm.dllHRasUY
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\jMoOIm.dllHRasUY
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY,f0
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2096
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2300
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3140
    • C:\Users\Admin\Desktop\n4.exe
      "C:\Users\Admin\Desktop\n4.exe"
      1⤵
        PID:2368

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY
        Filesize

        460KB

        MD5

        8cfa24ff327f06f81438f02181c5b790

        SHA1

        ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e

        SHA256

        6023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f

        SHA512

        ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY
        Filesize

        460KB

        MD5

        8cfa24ff327f06f81438f02181c5b790

        SHA1

        ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e

        SHA256

        6023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f

        SHA512

        ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY
        Filesize

        460KB

        MD5

        8cfa24ff327f06f81438f02181c5b790

        SHA1

        ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e

        SHA256

        6023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f

        SHA512

        ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19

        Download Submit
      • memory/2096-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2808-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3652-132-0x0000000000000000-mapping.dmp
        Download