danabot | c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284

Analysis

max time kernel
151s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-10-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
Size

255KB
MD5

a5d3a700096282227570e9c794fdb3f3
SHA1

a4d6970ce0515546e9d58b5df2b66734c92c882f
SHA256

c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284
SHA512

91498b7455a547edff16a74bcd6155ce6ce33e3a66dd980f011187824a537e94835ca9b4431d631227f8c17b233c687251212066f4280da613181f57fc3a9eca
SSDEEP

3072:GXVVinpHFLYS7GtqUM8ry8MRWnLtTyp3nclc1LWZ3hiK5ym+oBTHGZDKRn:urwlLToqUM8ry8TnLsWjX5ym+8TmYd

Score

10^/10

danabot vidar 937 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E822.exe39DD.exe

pid process

4892 E822.exe
3648 39DD.exe
Deletes itself 1 IoCs

Processes:

pid process

2896
Loads dropped DLL 3 IoCs

Processes:

39DD.exe

pid process

3648 39DD.exe
3648 39DD.exe
3648 39DD.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3144 3648 WerFault.exe 39DD.exe
4092 4892 WerFault.exe E822.exe
4880 4892 WerFault.exe E822.exe

pid	process
4892	E822.exe
3648	39DD.exe

pid	process
2896

pid	process
3648	39DD.exe
3648	39DD.exe
3648	39DD.exe

pid	pid_target	process	target process
3144	3648	WerFault.exe	39DD.exe
4092	4892	WerFault.exe	E822.exe
4880	4892	WerFault.exe	E822.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39DD.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	39DD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	39DD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe

pid	process
392	c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
392	c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896
2896

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2896
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe

pid process

392 c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe

pid	process
2896

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896
Token: SeShutdownPrivilege	2896
Token: SeCreatePagefilePrivilege	2896

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

E822.exe

description	pid	process	target process
PID 2896 wrote to memory of 4892	2896		E822.exe
PID 2896 wrote to memory of 4892	2896		E822.exe
PID 2896 wrote to memory of 4892	2896		E822.exe
PID 4892 wrote to memory of 3700	4892	E822.exe	appidtel.exe
PID 4892 wrote to memory of 3700	4892	E822.exe	appidtel.exe
PID 4892 wrote to memory of 3700	4892	E822.exe	appidtel.exe
PID 2896 wrote to memory of 3648	2896		39DD.exe
PID 2896 wrote to memory of 3648	2896		39DD.exe
PID 2896 wrote to memory of 3648	2896		39DD.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe
PID 4892 wrote to memory of 4900	4892	E822.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe
"C:\Users\Admin\AppData\Local\Temp\c619ed514e2ce8d5b06b7a491992f6c855f7612a51d16205d775271d4a955284.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:392

C:\Users\Admin\AppData\Local\Temp\E822.exe
C:\Users\Admin\AppData\Local\Temp\E822.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 600
2⤵
- Program crash
PID:4092

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 632
2⤵
- Program crash
PID:4880

C:\Users\Admin\AppData\Local\Temp\39DD.exe
C:\Users\Admin\AppData\Local\Temp\39DD.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1748
2⤵
- Program crash
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39DD.exe
Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\39DD.exe
Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E822.exe
Filesize
1.3MB

MD5
72734bc3f7c19c56a22263a7bde5433c

SHA1
7660179bd278a8b15a4655caad6395ba964297fc

SHA256
70b6ae3395cc7811570b279d3d09ffaa65a8610547d2591b28b8bc737ca8325b

SHA512
949decd88e3eddc5ba0008671e50647be60dcb5e9a38560541483a21d256d7d3674bdec0203d730d772022fda493b19f551a3fcd2e5520596595158dcd5f48c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E822.exe
Filesize
1.3MB

MD5
72734bc3f7c19c56a22263a7bde5433c

SHA1
7660179bd278a8b15a4655caad6395ba964297fc

SHA256
70b6ae3395cc7811570b279d3d09ffaa65a8610547d2591b28b8bc737ca8325b

SHA512
949decd88e3eddc5ba0008671e50647be60dcb5e9a38560541483a21d256d7d3674bdec0203d730d772022fda493b19f551a3fcd2e5520596595158dcd5f48c5

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
memory/392-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-148-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-150-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-153-0x0000000002CF0000-0x0000000002E3A000-memory.dmp

Filesize
1.3MB

Download
memory/392-154-0x0000000002C30000-0x0000000002CDE000-memory.dmp

Filesize
696KB

Download
memory/392-155-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/392-156-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/392-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-123-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/392-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3648-301-0x0000000002E41000-0x0000000002E6D000-memory.dmp

Filesize
176KB

Download
memory/3648-302-0x0000000000400000-0x0000000002C44000-memory.dmp

Filesize
40.3MB

Download
memory/3648-260-0x0000000000400000-0x0000000002C44000-memory.dmp

Filesize
40.3MB

Download
memory/3648-252-0x00000000048D0000-0x0000000004919000-memory.dmp

Filesize
292KB

Download
memory/3648-251-0x0000000002E41000-0x0000000002E6D000-memory.dmp

Filesize
176KB

Download
memory/3648-208-0x0000000000000000-mapping.dmp

Download
memory/3700-193-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-194-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3700-192-0x0000000000000000-mapping.dmp

Download
memory/4892-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-172-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-178-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-179-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-180-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-182-0x0000000003030000-0x0000000003160000-memory.dmp

Filesize
1.2MB

Download
memory/4892-181-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-183-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-185-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-184-0x0000000004B90000-0x0000000004E5C000-memory.dmp

Filesize
2.8MB

Download
memory/4892-186-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-187-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-188-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-189-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-190-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-191-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-200-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/4892-205-0x0000000003030000-0x0000000003160000-memory.dmp

Filesize
1.2MB

Download
memory/4892-206-0x0000000004B90000-0x0000000004E5C000-memory.dmp

Filesize
2.8MB

Download
memory/4892-207-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/4892-171-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-170-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-161-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4892-157-0x0000000000000000-mapping.dmp

Download
memory/4892-319-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/4892-320-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download