danabot | b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-09-2022 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
Size

197KB
MD5

c0c84e5c6c1b09b5a987bff067aa29dd
SHA1

d258b9984f0e13434d1cb337b8d9f53d5e29b4b3
SHA256

b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543
SHA512

e1c82276d5fc42a905aca9dbcdc03be434b9f418fa6457588ed0f9442d6dd56aabf66a02f54cfb219cb518e8a5d00149e354406c9e7ede74f80c387d3fa8a313
SSDEEP

3072:fbcAgLgJLGA4N5fi2x7iZin/RoJT3sYlBnnE8T/PkkXx:ILo5OLxmZM/RoJT8C

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

5DC0.exe

pid process

4024 5DC0.exe
Deletes itself 1 IoCs

Processes:

pid process

2900
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3352 4024 WerFault.exe 5DC0.exe
4696 4024 WerFault.exe 5DC0.exe

pid	process
4024	5DC0.exe

pid	process
2900

pid	pid_target	process	target process
3352	4024	WerFault.exe	5DC0.exe
4696	4024	WerFault.exe	5DC0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe

pid	process
2580	b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
2580	b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2900
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe

pid process

2580 b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2900
Token: SeCreatePagefilePrivilege 2900

pid	process
2900

description	pid	process
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5DC0.exe

description	pid	process	target process
PID 2900 wrote to memory of 4024	2900		5DC0.exe
PID 2900 wrote to memory of 4024	2900		5DC0.exe
PID 2900 wrote to memory of 4024	2900		5DC0.exe
PID 4024 wrote to memory of 4872	4024	5DC0.exe	appidtel.exe
PID 4024 wrote to memory of 4872	4024	5DC0.exe	appidtel.exe
PID 4024 wrote to memory of 4872	4024	5DC0.exe	appidtel.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe
PID 4024 wrote to memory of 3296	4024	5DC0.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe
"C:\Users\Admin\AppData\Local\Temp\b042f121f497e12dec719011bcfac3357f662d8412c1960d3599293eb0051543.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2580

C:\Users\Admin\AppData\Local\Temp\5DC0.exe
C:\Users\Admin\AppData\Local\Temp\5DC0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4872

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 600
2⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 624
2⤵
- Program crash
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5DC0.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DC0.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
memory/2580-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-124-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-127-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-154-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2580-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-151-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2580-156-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2580-157-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2580-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-158-0x0000000000000000-mapping.dmp

Download
memory/4024-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-184-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-187-0x00000000022F0000-0x0000000002421000-memory.dmp

Filesize
1.2MB

Download
memory/4024-188-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-190-0x00000000024C0000-0x000000000279B000-memory.dmp

Filesize
2.9MB

Download
memory/4024-189-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-191-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-192-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4024-193-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4024-221-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4024-209-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4024-207-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4024-206-0x00000000024C0000-0x000000000279B000-memory.dmp

Filesize
2.9MB

Download
memory/4872-196-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-195-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-194-0x0000000000000000-mapping.dmp

Download