danabot | cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab

Analysis

max time kernel
166s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab.vbs
Size

1.4MB
MD5

bdf665a8c154813acbc9248b04632439
SHA1

7f0735dd37f0be3b6ef62decf063449cebcff237
SHA256

cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab
SHA512

a3ae986efd8a2f7a85b90c2869e8995f18b581b995746e3e660b3fa030c934372158bc9c12b080de0c3fb486d809f5a5e8b0c9ae4ac1e91c04c056373dbc6385
SSDEEP

12288:ZYinvW0+d/iOPxhiSw2iv+3BFShNHd0ALmw+5ERQa+mTNLEpD:ZYiOR/iOPxKlvULShtd0ASE8

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

17.61.181.105

106.24.105.193

185.92.222.238

31.22.129.27

148.52.73.88

8.17.13.17

178.209.51.211

132.245.225.89

240.11.153.6

45.198.49.124

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX	family_danabot
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX	family_danabot
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
10	4192	rundll32.exe
11	4192	rundll32.exe
24	4192	rundll32.exe
27	4192	rundll32.exe
35	4192	rundll32.exe
42	4192	rundll32.exe
49	4192	rundll32.exe
52	4192	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4052 regsvr32.exe
4192 rundll32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

regsvr32.exerundll32.exe

pid	process
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe
4192	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4292 wrote to memory of 4320	4292	WScript.exe	regsvr32.exe
PID 4292 wrote to memory of 4320	4292	WScript.exe	regsvr32.exe
PID 4320 wrote to memory of 4052	4320	regsvr32.exe	regsvr32.exe
PID 4320 wrote to memory of 4052	4320	regsvr32.exe	regsvr32.exe
PID 4320 wrote to memory of 4052	4320	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 4192	4052	regsvr32.exe	rundll32.exe
PID 4052 wrote to memory of 4192	4052	regsvr32.exe	rundll32.exe
PID 4052 wrote to memory of 4192	4052	regsvr32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\System32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\\iRkuPrJLysX.dllxCQIX
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\\iRkuPrJLysX.dllxCQIX
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX,f0
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX
Filesize
456KB

MD5
91eefb993eec684763a77369024b5e60

SHA1
d1c22a4aa01542e4688fbfad5790c77a3dc29605

SHA256
9f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0

SHA512
947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX
Filesize
456KB

MD5
91eefb993eec684763a77369024b5e60

SHA1
d1c22a4aa01542e4688fbfad5790c77a3dc29605

SHA256
9f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0

SHA512
947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX
Filesize
456KB

MD5
91eefb993eec684763a77369024b5e60

SHA1
d1c22a4aa01542e4688fbfad5790c77a3dc29605

SHA256
9f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0

SHA512
947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e

Download Submit
memory/4052-134-0x0000000000000000-mapping.dmp

Download
memory/4192-136-0x0000000000000000-mapping.dmp

Download
memory/4320-132-0x0000000000000000-mapping.dmp

Download