danabot | 9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe
Size

2.4MB
MD5

eb9c57de0d6e051f9cc977007395a853
SHA1

c894e9313912d973f827ff1bb5c21d440f1a646d
SHA256

9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55
SHA512

67adb50be456509df1a7e3c6ea326f7782969923dc57a385d5714b9a342a2c77f024c366c8fca8a7e54b040b5d00b1d9810ab86df39a47242ddc4a1f1034ac6e
SSDEEP

49152:pE+MIJ7D/Os614al6pf+Mc76nHnHfM64JazWZunKarP8AS3ba:pEJ0escl8E7anYJazPK68a

Score

10^/10

danabot banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

153.92.223.225:443

198.15.112.179:443

185.62.56.245:443

66.85.147.23:443

Attributes

embedded_hash
61A1CB063216C13FFD2E15D7F3F515E2
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
31	4796	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4796	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 3696	4796	rundll32.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2444	4568	WerFault.exe	81

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3696	rundll32.exe
3696	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	rundll32.exe
Token: SeDebugPrivilege	3696	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3696	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4796	4568	9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe	88
PID 4568 wrote to memory of 4796	4568	9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe	88
PID 4568 wrote to memory of 4796	4568	9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe	88
PID 4796 wrote to memory of 3696	4796	rundll32.exe	93
PID 4796 wrote to memory of 3696	4796	rundll32.exe	93
PID 4796 wrote to memory of 3696	4796	rundll32.exe	93
PID 4796 wrote to memory of 3696	4796	rundll32.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe
"C:\Users\Admin\AppData\Local\Temp\9c2408b21ec7b0e1a5e2d324b1098086ba6112d3fd380648992306c20a6bbe55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll,start C:\Users\Admin\AppData\Local\Temp\9C2408~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - outlook_office_path
    - outlook_win_path
    PID:3696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 508
  2⤵
  - Program crash
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4568 -ip 4568
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d502779-c529-4ae0-a0cb-e70926e21349.tmp

Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBQHURCC-20220812-1921a.log

Filesize
182KB

MD5
6c2ebb04a6025a98e01a40fcfdc8fdfd

SHA1
9e87e55a503eba6994f94f218d5f0367c318b53f

SHA256
00df70d4ee47546f5ab79f093a44ef92b18ba766939d03e9d25611b536173459

SHA512
2867bf7d057194ef6cc4af4b50267fc5798eb60950a2252275d1d36abbb1ff1a3c787b5cf80ed78099d2d03c5ba13ec195b5b72a1c157723e415335a2ccb3e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
25KB

MD5
6f6eb502bc56ef0c6af70970cab6b6bd

SHA1
80b18c9e92eec4d3efb993baa1cbb65b9f2efefe

SHA256
fae1c05269e8dd5949302a1ec38625e70e8167a0cfe0734bb0aaf8533ce6bf1e

SHA512
1865e8155bb6838f068d29cdb33eddbae49e5cfc94e8a3f97ea50d008ef0cd34b0fc3cffec43cea7b104dd8673ab77c9d3103a2272ec6c418b3da4c4b6a023d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

Filesize
3.4MB

MD5
0a4be075ff7c43377937669f2e6c040a

SHA1
d097e78537fa7876757256583a47024bf0006fd6

SHA256
351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf

SHA512
cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

Filesize
3.4MB

MD5
0a4be075ff7c43377937669f2e6c040a

SHA1
d097e78537fa7876757256583a47024bf0006fd6

SHA256
351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf

SHA512
cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tuturhssep.tmp

Filesize
3.1MB

MD5
383f37499db8755bc905cef05b7b3880

SHA1
2adcf085c023c2e5e26f0801a3c6f0979b3a83bb

SHA256
4ccd892db7a892251931d4fc98ae55009302ac65d39bdf4c0df11ccd819dc380

SHA512
9c70e1a2ffa1433abd143535aa482b37b56be93f98d30a64fade35c18ba185bffa9748b3ced10e8d369028dd7e5ed15dec60e68ea332dbcc60fb9727002873bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
1KB

MD5
f42f2a2ee390bc203d1984162fd57a8f

SHA1
4cfad4d5561b33d6afcaf06a374ba8cc5b7da289

SHA256
90d944e4a4aa77a6d376114db46b8b3b47fb7e46e7769d34c978c93ec27b0cd1

SHA512
387f2b06a71bd2680b851c69812e9b3af4a41f15d0731d316b258f5453bfb24579dbee389573fbed9d1b775072daec16255ad541e8956608b2e7574de45d27f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
0e90961b61fe2bba06fe5a0b29b9f7a3

SHA1
ea023ea3fba4e3e086e939cc2fd4e114552140a9

SHA256
edb2daddf55d78188d2e7b53da4896a8006c181cad2737ad6a2f9217adf0ce88

SHA512
9656c5517490628310e8660190a5f8131aa8e6ec1c93472f92204c352b0deada6ad1c1228771bd5579a103e238c4ad6a40c6c558607cdb613afe881159ed3c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct1510.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct399A.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC61E.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
memory/3696-157-0x0000000001020000-0x0000000001924000-memory.dmp

Filesize
9.0MB

Download
memory/3696-161-0x00000000030E0000-0x0000000003B03000-memory.dmp

Filesize
10.1MB

Download
memory/3696-146-0x0000000003B10000-0x0000000003C50000-memory.dmp

Filesize
1.2MB

Download
memory/3696-147-0x0000000003B10000-0x0000000003C50000-memory.dmp

Filesize
1.2MB

Download
memory/3696-158-0x00000000030E0000-0x0000000003B03000-memory.dmp

Filesize
10.1MB

Download
memory/4568-139-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4568-132-0x0000000002833000-0x0000000002A72000-memory.dmp

Filesize
2.2MB

Download
memory/4568-134-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4568-133-0x0000000002A80000-0x0000000002CF3000-memory.dmp

Filesize
2.4MB

Download
memory/4796-141-0x0000000003440000-0x0000000003E63000-memory.dmp

Filesize
10.1MB

Download
memory/4796-140-0x0000000000400000-0x000000000077F000-memory.dmp

Filesize
3.5MB

Download
memory/4796-142-0x0000000003440000-0x0000000003E63000-memory.dmp

Filesize
10.1MB

Download
memory/4796-138-0x0000000000400000-0x000000000077F000-memory.dmp

Filesize
3.5MB

Download
memory/4796-143-0x0000000003F30000-0x0000000004070000-memory.dmp

Filesize
1.2MB

Download
memory/4796-159-0x0000000000400000-0x000000000077F000-memory.dmp

Filesize
3.5MB

Download
memory/4796-160-0x0000000003440000-0x0000000003E63000-memory.dmp

Filesize
10.1MB

Download
memory/4796-144-0x0000000003F30000-0x0000000004070000-memory.dmp

Filesize
1.2MB

Download