danabot | 9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608

General

Target

9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
Size

3.8MB
MD5

9c52ec98ac0e9e6fa4cc47a75874587e
SHA1

6bc94c984e6908ecf1e339642172519c82c6a30e
SHA256

9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608
SHA512

6bb9b55dc1b7271cb6490db2093e94d2d63b6bb571be9670957f4e673d8d660bc540bf58ef87906e0f6cbfbd5f2939055b4ec2414d1e7ee6434c406d98b7ee75
SSDEEP

98304:Io9Ui7KhE8MBGHLLVNUvSlZ902ojL5mT0dAVz2huo0:g5aJGXTUvw02+L5mT0dsC50

Score

10^/10

danabot 3 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

167.114.188.34:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

4 616 RUNDLL32.EXE
5 616 RUNDLL32.EXE
6 616 RUNDLL32.EXE
9 616 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	616	RUNDLL32.EXE
5	616	RUNDLL32.EXE
6	616	RUNDLL32.EXE
9	616	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INLM2B61\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exe

pid process

1876 powershell.exe
616 RUNDLL32.EXE
616 RUNDLL32.EXE
840 powershell.exe

pid	process
1876	powershell.exe
616	RUNDLL32.EXE
616	RUNDLL32.EXE
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1536	rundll32.exe
Token: SeDebugPrivilege	616	RUNDLL32.EXE
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

616 RUNDLL32.EXE

pid	process
616	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 1536 wrote to memory of 616	1536	rundll32.exe	RUNDLL32.EXE
PID 616 wrote to memory of 1876	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 1876	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 1876	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 1876	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 840	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 840	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 840	616	RUNDLL32.EXE	powershell.exe
PID 616 wrote to memory of 840	616	RUNDLL32.EXE	powershell.exe
PID 840 wrote to memory of 808	840	powershell.exe	nslookup.exe
PID 840 wrote to memory of 808	840	powershell.exe	nslookup.exe
PID 840 wrote to memory of 808	840	powershell.exe	nslookup.exe
PID 840 wrote to memory of 808	840	powershell.exe	nslookup.exe
PID 616 wrote to memory of 980	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 980	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 980	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 980	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 1360	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 1360	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 1360	616	RUNDLL32.EXE	schtasks.exe
PID 616 wrote to memory of 1360	616	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,QCkX
3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpECDF.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1FA4.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:980

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1FA4.tmp.ps1
Filesize
80B

MD5
30894f58d44a6ecf7ea27d5e4ca6908e

SHA1
399f2c861d4a6da8681f9a571c9b76ee959b71c4

SHA256
4629ea59ea77f03d3d5198d074ba4dd75471ee71f1b15d0d8f5d829c52852831

SHA512
c220c0259ae48b98c34341092ff8b85049eca190418393df35b433f1390056fbfa199b39442a10dff9d25d15537be72f0031e5341a0d0729483f790b7e8cb1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1FA5.tmp
Filesize
86B

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECDF.tmp.ps1
Filesize
261B

MD5
29f052fe0e175c48c3ebf54caf19b056

SHA1
f856ddbd183c3ec42389b4411e67115ca56cdc9c

SHA256
e0ec7b3c0850ac622c6de08b53e3bc3eef1f684a63acc545d7165631c3b8aac0

SHA512
080e46ba0c69d38bb849134a7345c681a0dedd1da55d5ae7bb5599a13eecb8d5f419db4b9b409ea1333b75c2c656e10d99d7b62bb42b0598917b90b0fb54b30c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
85c92de9479494790d26b717bcba4802

SHA1
0c4b02ab81bb5cf6442b6cdc8b17a814cfcb66eb

SHA256
856ad5e0202605c03e6759f7eebaf0c73b15176b2e18991bf73d16b21926b515

SHA512
f661792af50fb22c03b2305dce9e0960463ccf552c240b119e18e81e29265c5b142f8ff3104d01610ed56028d607c224bce67695ec47bcdd570614fe5c05ebb0

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/616-60-0x0000000001BB0000-0x0000000001F7D000-memory.dmp

Filesize
3.8MB

Download
memory/616-58-0x0000000000000000-mapping.dmp

Download
memory/616-62-0x0000000002490000-0x0000000002AF2000-memory.dmp

Filesize
6.4MB

Download
memory/616-63-0x0000000002490000-0x0000000002AF2000-memory.dmp

Filesize
6.4MB

Download
memory/808-75-0x0000000000000000-mapping.dmp

Download
memory/840-73-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/840-69-0x0000000000000000-mapping.dmp

Download
memory/840-76-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/980-78-0x0000000000000000-mapping.dmp

Download
memory/1360-79-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x00000000028C0000-0x0000000002F22000-memory.dmp

Filesize
6.4MB

Download
memory/1536-56-0x0000000002220000-0x00000000025ED000-memory.dmp

Filesize
3.8MB

Download
memory/1536-61-0x00000000028C0000-0x0000000002F22000-memory.dmp

Filesize
6.4MB

Download
memory/1536-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1876-68-0x0000000073320000-0x00000000738CB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-64-0x0000000000000000-mapping.dmp

Download
memory/1876-66-0x0000000073320000-0x00000000738CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads