danabot | ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16

General

Target

80450a6fd44277fa7c6883ee59093f72.dll
Size

5.7MB
MD5

80450a6fd44277fa7c6883ee59093f72
SHA1

d90e1ccec2ff3f552b0e887acd50418a8959c1d1
SHA256

ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16
SHA512

461648a7cba529f6e13da31c1c4f4ad5ce73798a3569d96df65993d1c9c28cdc3750c5b056a1767e45260fd84b76c3fe179ccceea328a17a8182b76a54a0be65
SSDEEP

98304:VTH01OZK84868vo7flGArwf9ytPkWQULuYF2YsV3PlokRWS:VTHYiKsAz8ArPqWQULuTykRl

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

37.220.31.94:443

23.106.123.185:443

192.210.198.12:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

2 1996 RUNDLL32.EXE
3 1996 RUNDLL32.EXE
4 1996 RUNDLL32.EXE
5 1996 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
2	1996	RUNDLL32.EXE
3	1996	RUNDLL32.EXE
4	1996	RUNDLL32.EXE
5	1996	RUNDLL32.EXE

Drops desktop.ini file(s) 4 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACR0LGSN\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2948 rundll32.exe
Token: SeDebugPrivilege 1996 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2948	rundll32.exe
Token: SeDebugPrivilege	1996	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2416 wrote to memory of 2948	2416	rundll32.exe	rundll32.exe
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE
PID 2948 wrote to memory of 1996	2948	rundll32.exe	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,tmJU
3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gxxdafgzd.tmp
Filesize
256B

MD5
81a6acb2c80f76cd12d692565e7c0e66

SHA1
46fe73ede4821c44ee1d28a65b603533950a6080

SHA256
25bb09830e7f69f46194bbf93b2e4b7316a9e744d804d6359b43c3003ba80687

SHA512
d38b7f073ffeb4459031acb29897b38bc09e0e101b69b587d6db409826046bbd104f410cc4415a1c2031871163e0f0939a4a13823c74dc538f4e322b61828c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
843B

MD5
496c79abac0d1074c2979695199d5f2d

SHA1
fa5327469d09ba4f831cd882bd5b889d0b7728df

SHA256
b9335a81dd396b09a6520032eb15bcabf26e3dfed05beaef2849fe04638c2631

SHA512
06dff47de234a29e8afc26f2abfeb7575aa5173a61c377d48c754277f0b198c81f51018b29316163802ee44b9eab1971570fce76547d4ef47dc386466293d560

Download Submit
memory/1996-26-0x00000000020A0000-0x000000000265B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-12-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-4-0x00000000020A0000-0x000000000265B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-6-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-8-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-7-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1996-30-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-29-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-10-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-9-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/1996-28-0x0000000002F00000-0x0000000003560000-memory.dmp

Filesize
6.4MB

Download
memory/2948-0-0x00000000021F0000-0x00000000027AB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-5-0x0000000003010000-0x0000000003670000-memory.dmp

Filesize
6.4MB

Download
memory/2948-2-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x0000000003010000-0x0000000003670000-memory.dmp

Filesize
6.4MB

Download
memory/2948-1-0x0000000003010000-0x0000000003670000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing