danabot | 43b114f6b9f115f23b1f3ecfd158b575

Sharing

Copy URL Twitter E-mail

General

Target

43b114f6b9f115f23b1f3ecfd158b575
Size

17.5MB
MD5

43b114f6b9f115f23b1f3ecfd158b575
SHA1

b2c6168a17c691f4ac26b2b0c9349bb74fd07f5c
SHA256

18f7baa1e7b807db7728f8f2675e666c8532983aa262b1229c4cc89fbb78216b
SHA512

ab232bbc8143a5df97880a1c11beecf0235f762f8f867fd9ca4871e90615b557fa57d7e88c05345aca21965287ed6a0d083dac56c88c67fab6fde5ece8c09630
SSDEEP

393216:xv2PU5oGI+wkWu0dyoY2gCHDAk8lEwLNPFqCxnh:12PrcWu0F18lEwLNPFqCxnh

Score

10^/10

4 danabot

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot family
danabot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
43b114f6b9f115f23b1f3ecfd158b575

Files

43b114f6b9f115f23b1f3ecfd158b575
.dll windows:5 windows x86 arch:x86

908afa7baa08116e817d0ade28b27ef3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayGetElement
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopyInd
VariantCopy
VariantClear
VariantInit
CreateErrorInfo
GetErrorInfo
SetErrorInfo
SysFreeString

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
SetThreadToken
SetSecurityDescriptorDacl
ReportEventA
RegisterEventSourceA
RegUnLoadKeyW
RegSetValueExW
RegSaveKeyW
RegRestoreKeyW
RegReplaceKeyW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyW
RegLoadKeyW
RegFlushKey
RegEnumValueW
RegEnumKeyW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegConnectRegistryW
RegCloseKey
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
LookupAccountSidW
LookupAccountNameW
IsValidSid
IsTextUnicode
InitializeSecurityDescriptor
GetUserNameW
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSecurityDescriptorSacl
GetCurrentHwProfileW
FreeSid
EqualSid
DuplicateToken
DeregisterEventSource
AllocateAndInitializeSid
AdjustTokenPrivileges
CryptEnumProvidersA
CryptSignHashA
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenKey
CryptReleaseContext
CryptAcquireContextW
CryptAcquireContextA
LsaFreeMemory
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
ConvertSidToStringSidA
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo
SetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptSignHashA
CryptVerifySignatureW
CryptDecrypt
CryptImportKey
CryptEncrypt
CryptDeriveKey
CryptDestroyKey
CryptExportKey
CryptGenKey
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextA

user32

CharNextW
LoadStringW
SetWindowLongA
GetWindowLongA
SetWindowLongW
GetWindowLongW
CreateWindowExW
wvsprintfW
mouse_event
keybd_event
WindowFromPoint
UpdateWindow
UnregisterClassW
TranslateMessage
SystemParametersInfoW
ShowWindow
SetWindowPos
SetTimer
SetThreadDesktop
SetClipboardData
SendMessageA
SendMessageW
ScreenToClient
ReleaseDC
RegisterWindowMessageW
RegisterClassW
RealGetWindowClassW
PtInRect
PostThreadMessageW
PostMessageA
PostMessageW
PeekMessageW
OpenDesktopW
OpenClipboard
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MoveWindow
MessageBoxA
MessageBoxW
MenuItemFromPoint
LoadStringW
LoadIconW
LoadCursorW
KillTimer
IsWindowVisible
IsWindow
InvalidateRect
GetWindowThreadProcessId
GetWindowTextW
GetWindowRect
GetWindowPlacement
GetWindowInfo
GetUserObjectInformationW
GetTopWindow
GetThreadDesktop
GetSystemMetrics
GetProcessWindowStation
GetWindow
GetMessageW
GetMenuItemID
GetKeyboardLayoutList
GetForegroundWindow
GetDesktopWindow
GetDC
GetCursorInfo
GetClipboardData
GetClassNameW
GetClassInfoW
GetAncestor
FrameRect
FindWindowExW
FindWindowA
FindWindowW
EnumDesktopWindows
EndDeferWindowPos
DrawIcon
DispatchMessageW
DestroyWindow
DeferWindowPos
DefWindowProcW
CreateDesktopW
CloseDesktop
CloseClipboard
ChildWindowFromPoint
CharUpperBuffW
CharUpperW
CharLowerBuffW
BeginDeferWindowPos
PrintWindow
PrintWindow

kernel32

Sleep
VirtualFree
VirtualAlloc
lstrlenW
VirtualQuery
QueryPerformanceCounter
GetTickCount
GetSystemInfo
GetVersion
CompareStringW
IsValidLocale
SetThreadLocale
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoW
WideCharToMultiByte
MultiByteToWideChar
GetACP
LoadLibraryExW
GetStartupInfoW
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetCommandLineW
FreeLibrary
GetLastError
UnhandledExceptionFilter
RtlUnwind
RaiseException
ExitProcess
ExitThread
SwitchToThread
GetCurrentThreadId
CreateThread
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
FindFirstFileW
FindClose
SetCurrentDirectoryW
GetCurrentDirectoryW
WriteFile
GetStdHandle
CloseHandle
GetProcAddress
RaiseException
LoadLibraryA
GetLastError
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
LocalFree
LocalAlloc
FreeLibrary
lstrlenW
lstrcpyA
lstrcpyW
lstrcmpW
lstrcatW
WriteProcessMemory
WritePrivateProfileStringW
WriteFile
WideCharToMultiByte
WaitForSingleObjectEx
WaitForSingleObject
WaitForMultipleObjectsEx
VirtualQueryEx
VirtualQuery
VirtualProtect
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
VerSetConditionMask
VerifyVersionInfoW
UnmapViewOfFile
UnlockFileEx
UnlockFile
TryEnterCriticalSection
TerminateThread
TerminateProcess
SystemTimeToFileTime
SwitchToThread
SuspendThread
Sleep
SetThreadPriority
SetPriorityClass
SetLastError
SetFileTime
SetFilePointerEx
SetFilePointer
SetFileAttributesW
SetEvent
SetEndOfFile
SetCurrentDirectoryW
ResumeThread
ResetEvent
RemoveDirectoryW
ReleaseSemaphore
ReadFile
RaiseException
QueryPerformanceFrequency
QueryPerformanceCounter
QueryDosDeviceW
IsDebuggerPresent
OutputDebugStringA
OutputDebugStringW
OpenProcess
OpenEventW
MultiByteToWideChar
MapViewOfFile
LockFileEx
LockFile
LocalFree
LocalAlloc
LoadLibraryA
LoadLibraryW
LeaveCriticalSection
LCMapStringW
IsValidLocale
IsBadReadPtr
InitializeCriticalSection
HeapValidate
HeapSize
HeapReAlloc
HeapFree
HeapDestroy
HeapCreate
HeapCompact
HeapAlloc
GlobalUnlock
GlobalSize
GlobalMemoryStatusEx
GlobalMemoryStatus
GlobalLock
GlobalFree
GlobalAlloc
GetWindowsDirectoryW
GetVolumeInformationW
GetVersionExA
GetVersionExW
GetVersion
GetUserDefaultLangID
GetTimeZoneInformation
GetTickCount
GetThreadPriority
GetThreadLocale
GetTempPathA
GetTempPathW
GetTempFileNameW
GetSystemTimeAsFileTime
GetSystemTime
GetSystemPowerStatus
GetSystemInfo
GetSystemDirectoryW
GetSystemDefaultLangID
GetStdHandle
GetLongPathNameW
GetShortPathNameW
GetProcessHeap
GetProcAddress
GetPrivateProfileStringW
GetPrivateProfileIntW
GetModuleHandleA
GetModuleHandleW
GetModuleFileNameW
GetLogicalDrives
GetLogicalDriveStringsW
GetLocaleInfoW
GetLocalTime
GetLastError
GetFullPathNameA
GetFullPathNameW
GetFileType
GetFileSizeEx
GetFileSize
GetFileAttributesExW
GetFileAttributesA
GetFileAttributesW
GetExitCodeThread
GetExitCodeProcess
GetEnvironmentVariableW
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetDateFormatW
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetCurrentDirectoryW
GetComputerNameExW
GetComputerNameW
GetCPInfoExW
GetCPInfo
GetBinaryTypeW
GetACP
FreeLibrary
FormatMessageA
FormatMessageW
FlushViewOfFile
FlushInstructionCache
FlushFileBuffers
FlushConsoleInputBuffer
FindNextFileA
FindNextFileW
FindFirstFileA
FindFirstFileW
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
EnumSystemLocalesW
EnumCalendarInfoW
EnterCriticalSection
DisconnectNamedPipe
DeleteFileA
DeleteFileW
DeleteCriticalSection
CreateThread
CreateSemaphoreA
CreateRemoteThread
CreateProcessW
CreateNamedPipeW
CreateMutexW
CreateFileMappingW
CreateFileA
CreateFileW
CreateEventA
CreateEventW
CreateDirectoryW
CopyFileW
ConnectNamedPipe
CompareStringW
CloseHandle
AreFileApisANSI
Sleep
Wow64EnableWow64FsRedirection
Wow64DisableWow64FsRedirection

gdi32

StretchBlt
SetStretchBltMode
SelectObject
Rectangle
GetStockObject
GetPixel
GetObjectA
GetDeviceCaps
GetDIBits
DeleteObject
DeleteDC
CreatePen
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

netapi32

NetApiBufferFree
NetWkstaGetInfo
Netbios

ole32

OleInitialize
CreateBindCtx
MkParseDisplayName
CoGetObject
CoTaskMemFree
CLSIDFromProgID
IIDFromString
CLSIDFromString
StringFromCLSID
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitialize

ws2_32

WSAIoctl
WSAEventSelect
WSAGetLastError
WSASetLastError
WSACleanup
WSAStartup
getservbyname
gethostbyname
socket
shutdown
setsockopt
send
select
recv
ntohs
ntohl
listen
inet_addr
htons
htonl
getsockopt
getsockname
ioctlsocket
connect
closesocket
bind
accept
__WSAFDIsSet

shell32

ShellExecuteExW
SHAppBarMessage
SHGetFolderPathW
SHGetSpecialFolderPathW
SHGetSpecialFolderPathW
SHGetPathFromIDListW
SHGetSpecialFolderLocation

wininet

InternetSetOptionW
InternetCrackUrlW

msvcrt

realloc
_ftol
memmove
memcmp
free
malloc
strncmp
memset
strlen
memcpy
localtime
_errno
memchr
strcmp
strerror
realloc
_ftol
strncpy
strcat
isdigit
isxdigit
memmove
printf
tolower
isupper
isspace
memcmp
free
malloc
atol
_stricmp
strchr
strncmp
memset
strlen
memcpy
toupper
abort
signal
_getch
setvbuf
getenv
strstr
sprintf
_exit
raise
_vsnprintf
wcsstr
strtol
fflush
fputs
time
fwrite
strrchr
strtoul
sscanf
fprintf
_stat
ftell
fread
fopen
_lseek
_write
_read
_close
wcslen
_getpid
isalnum
localtime
gmtime
calloc
_chmod
_fdopen
_open
fclose
qsort
fseek
_strnicmp
fgets
_setmode
_wfopen
memset
memmove
memcpy
_beginthreadex

esent

JetIndexRecordCount
JetMove
JetRetrieveColumns
JetOpenTableW
JetOpenDatabaseW
JetGetColumnInfoW
JetAttachDatabaseW
JetEndSession
JetBeginSessionW
JetSetSystemParameterW
JetTerm
JetCreateInstanceW
JetInit

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertCreateSelfSignCertificate
CertOpenSystemStoreW
CertGetNameStringW
CertStrToNameW
CertNameToStrW
CryptExportPKCS8
CryptAcquireCertificatePrivateKey
CryptExportPublicKeyInfoEx
CryptSignAndEncodeCertificate
CertAddCertificateContextToStore
CertGetCertificateContextProperty
CertFreeCertificateContext
CertCreateCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CryptEncodeObject
PFXExportCertStoreEx
CryptBinaryToStringA
CryptStringToBinaryA

iphlpapi

GetAdaptersInfo

winspool.drv

GetDefaultPrinterW

rasapi32

RasGetEntryDialParamsA
RasEnumEntriesA

cryptui

CryptUIDlgViewCertificateW

shlwapi

StrStrW

ntdll

RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlAllocateHeap
RtlDecompressBuffer
LdrEnumerateLoadedModules
RtlReleasePebLock
RtlAcquirePebLock
RtlGetCurrentPeb
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQueryValueKey
NtEnumerateValueKey
NtOpenKey
RtlQueryElevationFlags
NtQueryInformationToken
NtOpenProcessToken
RtlGetVersion
RtlDestroyHeap
RtlFreeHeap
RtlAllocateHeap
RtlCreateHeap
RtlNtStatusToDosError
RtlEqualUnicodeString
RtlInitUnicodeString
NtClose

Exports

Exports

TMethodImplementationIntercept
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: 14.0MB - Virtual size: 14.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 1.1MB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 19KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 287KB - Virtual size: 288KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

908afa7baa08116e817d0ade28b27ef3

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

gdi32

version

mpr

netapi32

ole32

ws2_32

shell32

wininet

msvcrt

esent

crypt32

iphlpapi

winspool.drv

rasapi32

cryptui

shlwapi

ntdll

Exports

Exports

Sections

.text Size: 14.0MB - Virtual size: 14.0MB

.itext Size: 8KB - Virtual size: 8KB

.data Size: 3.1MB - Virtual size: 3.1MB

.bss Size: - Virtual size: 1.1MB

.idata Size: 19KB - Virtual size: 20KB

.didata Size: 1KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.rdata Size: 512B - Virtual size: 4KB

.reloc Size: 287KB - Virtual size: 288KB

.rsrc Size: 22KB - Virtual size: 24KB

.text
Size: 14.0MB - Virtual size: 14.0MB

.itext
Size: 8KB - Virtual size: 8KB

.data
Size: 3.1MB - Virtual size: 3.1MB

.bss
Size: - Virtual size: 1.1MB

.idata
Size: 19KB - Virtual size: 20KB

.didata
Size: 1KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.rdata
Size: 512B - Virtual size: 4KB

.reloc
Size: 287KB - Virtual size: 288KB

.rsrc
Size: 22KB - Virtual size: 24KB