Overview

overview

10

Static

static

05821ac657...2c.dll

windows7-x64

10

05821ac657...2c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05821ac6574f00468e14b701444a9d55efacee7c922d448611b4860dda82462c.dll

  • Size

    5.7MB

  • MD5

    c539c4094f9a26c2a63b3e08c071e218

  • SHA1

    cc00ac56935cd2aeff19c42ef53c6c04bafd02e2

  • SHA256

    05821ac6574f00468e14b701444a9d55efacee7c922d448611b4860dda82462c

  • SHA512

    79f5fd1104b9728d726930c2f62c7fcfd098ad047d2826bf2ef2a120164161e9a6dc9ec5eb875b557e063e23c349d128dd122ddae608a1e52b470568b8dc022c

  • SSDEEP

    98304:feKdZFndLKkPcuiLGYoWMwHpdwt0JY/v7ejmRoY2KFwJ8PktujmGs64m:fZZVBcuiLPDqYFjm/FwJ8sP

Score
10/10
danabot3bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.162.42:443

152.89.247.114:443

192.3.26.98:443

192.236.146.203:443
Attributes
  • embedded_hash

    B2585F6479280F48B64C99F950BBF36D

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks processor information in registry 2 TTPs 25 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\05821ac6574f00468e14b701444a9d55efacee7c922d448611b4860dda82462c.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\05821ac6574f00468e14b701444a9d55efacee7c922d448611b4860dda82462c.dll,#1
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\05821ac6574f00468e14b701444a9d55efacee7c922d448611b4860dda82462c.dll,TB8t
        3⤵
        • Blocklisted process makes network request
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1684-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-140-0x0000000002810000-0x0000000002DCB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1684-142-0x00000000031D0000-0x0000000003832000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/1684-147-0x00000000031D0000-0x0000000003832000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/1684-148-0x00000000031D0000-0x0000000003832000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4460-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4460-133-0x0000000002660000-0x0000000002C1B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4460-134-0x00000000031A0000-0x0000000003802000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4460-141-0x00000000031A0000-0x0000000003802000-memory.dmp
    Filesize

    6.4MB

    Download