danabot | aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88

Analysis

max time kernel
150s
max time network
140s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
Size

201KB
MD5

3e04a5b2e4999590c8eb8907103038c1
SHA1

66a56a94fc752d6752c2a66f05610f9527de575b
SHA256

aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88
SHA512

40d21c4638d906b007d39b0648282817ff965d14a8366f6547e18c333a79a331001f27cb0c78556b077b1240679f9ca3cafb91a2282243d922472ddbe2a8d5ac
SSDEEP

3072:gwnkOHpaJLI/GHz85T9Bl7D4QhMNyCm3R4EyoNnH+BZPr/m/Pkj4x:guQLxHUBl7D4QhTCmCEZNA

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4B80.exe

pid process

996 4B80.exe
Deletes itself 1 IoCs

Processes:

pid process

2836
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4552 996 WerFault.exe 4B80.exe
4876 996 WerFault.exe 4B80.exe

pid	process
996	4B80.exe

pid	process
2836

pid	pid_target	process	target process
4552	996	WerFault.exe	4B80.exe
4876	996	WerFault.exe	4B80.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe

pid	process
3876	aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
3876	aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836
2836

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2836
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe

pid process

3876 aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2836
Token: SeCreatePagefilePrivilege 2836

pid	process
2836

description	pid	process
Token: SeShutdownPrivilege	2836
Token: SeCreatePagefilePrivilege	2836

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4B80.exe

description	pid	process	target process
PID 2836 wrote to memory of 996	2836		4B80.exe
PID 2836 wrote to memory of 996	2836		4B80.exe
PID 2836 wrote to memory of 996	2836		4B80.exe
PID 996 wrote to memory of 3700	996	4B80.exe	appidtel.exe
PID 996 wrote to memory of 3700	996	4B80.exe	appidtel.exe
PID 996 wrote to memory of 3700	996	4B80.exe	appidtel.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe
PID 996 wrote to memory of 4972	996	4B80.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe
"C:\Users\Admin\AppData\Local\Temp\aa85ca0ec4cfec785dc63d1668f91a91779cb708222928e295bfd8b7e54aab88.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3876

C:\Users\Admin\AppData\Local\Temp\4B80.exe
C:\Users\Admin\AppData\Local\Temp\4B80.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 600
2⤵
- Program crash
PID:4552

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 624
2⤵
- Program crash
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4B80.exe
Filesize
1.3MB

MD5
0dc4a079fc0071fdf037934c4839ef72

SHA1
d5a51060dc526231c01b2c893dfdecc4a7ea0fc3

SHA256
65f10b6ff070f741f41aaf47e6c23f8bb68ebf1b2679a6183899efd24e06fd91

SHA512
756a1f0aeb7d6f669fcf54a0a09e1b0357fa53aba90505d4ca7089cd6ca697667b9bb155af22348123bc9b6bf9b650a34286e8a9a73767eec451ec1d22bc6e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B80.exe
Filesize
1.3MB

MD5
0dc4a079fc0071fdf037934c4839ef72

SHA1
d5a51060dc526231c01b2c893dfdecc4a7ea0fc3

SHA256
65f10b6ff070f741f41aaf47e6c23f8bb68ebf1b2679a6183899efd24e06fd91

SHA512
756a1f0aeb7d6f669fcf54a0a09e1b0357fa53aba90505d4ca7089cd6ca697667b9bb155af22348123bc9b6bf9b650a34286e8a9a73767eec451ec1d22bc6e71

Download Submit
memory/996-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-178-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-216-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/996-215-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/996-202-0x00000000024A0000-0x000000000277B000-memory.dmp

Filesize
2.9MB

Download
memory/996-201-0x0000000002370000-0x000000000249C000-memory.dmp

Filesize
1.2MB

Download
memory/996-200-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/996-185-0x00000000024A0000-0x000000000277B000-memory.dmp

Filesize
2.9MB

Download
memory/996-159-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-160-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-187-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-186-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-184-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-157-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-183-0x0000000002370000-0x000000000249C000-memory.dmp

Filesize
1.2MB

Download
memory/996-182-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-181-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-180-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-179-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-158-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-177-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-176-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-174-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-155-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-164-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-163-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-156-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-161-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/996-153-0x0000000000000000-mapping.dmp

Download
memory/3700-188-0x0000000000000000-mapping.dmp

Download
memory/3700-189-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-190-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-151-0x0000000000866000-0x0000000000877000-memory.dmp

Filesize
68KB

Download
memory/3876-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-152-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3876-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-147-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-143-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-141-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-142-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3876-140-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/3876-139-0x0000000000866000-0x0000000000877000-memory.dmp

Filesize
68KB

Download
memory/3876-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-122-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3876-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download