danabot | 9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608

General

Target

9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
Size

3.8MB
MD5

9c52ec98ac0e9e6fa4cc47a75874587e
SHA1

6bc94c984e6908ecf1e339642172519c82c6a30e
SHA256

9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608
SHA512

6bb9b55dc1b7271cb6490db2093e94d2d63b6bb571be9670957f4e673d8d660bc540bf58ef87906e0f6cbfbd5f2939055b4ec2414d1e7ee6434c406d98b7ee75
SSDEEP

98304:Io9Ui7KhE8MBGHLLVNUvSlZ902ojL5mT0dAVz2huo0:g5aJGXTUvw02+L5mT0dsC50

Score

10^/10

danabot 3 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

167.114.188.34:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2808 powershell.exe
2808 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 1908 rundll32.exe
Token: SeDebugPrivilege 3804 RUNDLL32.EXE
Token: SeDebugPrivilege 2808 powershell.exe

pid	process
2808	powershell.exe
2808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1908	rundll32.exe
Token: SeDebugPrivilege	3804	RUNDLL32.EXE
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 3408 wrote to memory of 1908	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 1908	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 1908	3408	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 3804	1908	rundll32.exe	RUNDLL32.EXE
PID 1908 wrote to memory of 3804	1908	rundll32.exe	RUNDLL32.EXE
PID 1908 wrote to memory of 3804	1908	rundll32.exe	RUNDLL32.EXE
PID 3804 wrote to memory of 2808	3804	RUNDLL32.EXE	powershell.exe
PID 3804 wrote to memory of 2808	3804	RUNDLL32.EXE	powershell.exe
PID 3804 wrote to memory of 2808	3804	RUNDLL32.EXE	powershell.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,jjpUfDZ9Aw==
3⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.ps1
Filesize
260B

MD5
bdd5f197557746c87715b294992cf23b

SHA1
12eafface2dea9ac4a9c7214bc51b5f5cee3e890

SHA256
48436399ad831ce9df9a5c36214aad876358a9392dbf6e927ee07345d0f20d4f

SHA512
3f87fb04f52b42dcc2ba830dbfaa25dbb0175eb23d9e4275eac60f6ee245e6a4dd7f4d0c6568083a615c8447799920dc84caa7bbaa0d7d5c108b74061fefb06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8F.tmp
Filesize
1KB

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
memory/1908-132-0x0000000000000000-mapping.dmp

Download
memory/1908-133-0x0000000002F80000-0x00000000035E2000-memory.dmp

Filesize
6.4MB

Download
memory/1908-138-0x0000000002F80000-0x00000000035E2000-memory.dmp

Filesize
6.4MB

Download
memory/2808-144-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/2808-146-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/2808-153-0x0000000006FB0000-0x0000000006FB8000-memory.dmp

Filesize
32KB

Download
memory/2808-142-0x0000000000000000-mapping.dmp

Download
memory/2808-143-0x0000000002480000-0x00000000024B6000-memory.dmp

Filesize
216KB

Download
memory/2808-152-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/2808-145-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2808-151-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/2808-147-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/2808-148-0x0000000004B10000-0x0000000004B2E000-memory.dmp

Filesize
120KB

Download
memory/2808-150-0x0000000005DD0000-0x0000000005DDA000-memory.dmp

Filesize
40KB

Download
memory/3804-137-0x00000000021F0000-0x00000000025BD000-memory.dmp

Filesize
3.8MB

Download
memory/3804-140-0x0000000002B40000-0x00000000031A2000-memory.dmp

Filesize
6.4MB

Download
memory/3804-139-0x0000000002B40000-0x00000000031A2000-memory.dmp

Filesize
6.4MB

Download
memory/3804-141-0x0000000002B40000-0x00000000031A2000-memory.dmp

Filesize
6.4MB

Download
memory/3804-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads