danabot | ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16

General

Target

80450a6fd44277fa7c6883ee59093f72.dll
Size

5.7MB
MD5

80450a6fd44277fa7c6883ee59093f72
SHA1

d90e1ccec2ff3f552b0e887acd50418a8959c1d1
SHA256

ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16
SHA512

461648a7cba529f6e13da31c1c4f4ad5ce73798a3569d96df65993d1c9c28cdc3750c5b056a1767e45260fd84b76c3fe179ccceea328a17a8182b76a54a0be65
SSDEEP

98304:VTH01OZK84868vo7flGArwf9ytPkWQULuYF2YsV3PlokRWS:VTHYiKsAz8ArPqWQULuTykRl

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

37.220.31.94:443

23.106.123.185:443

192.210.198.12:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

RUNDLL32.EXE

flow pid process

5 1272 RUNDLL32.EXE
18 1272 RUNDLL32.EXE
20 1272 RUNDLL32.EXE
22 1272 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 2264 rundll32.exe
Token: SeDebugPrivilege 1272 RUNDLL32.EXE

flow	pid	process
5	1272	RUNDLL32.EXE
18	1272	RUNDLL32.EXE
20	1272	RUNDLL32.EXE
22	1272	RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2264	rundll32.exe
Token: SeDebugPrivilege	1272	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4032 wrote to memory of 2264	4032	rundll32.exe	rundll32.exe
PID 4032 wrote to memory of 2264	4032	rundll32.exe	rundll32.exe
PID 4032 wrote to memory of 2264	4032	rundll32.exe	rundll32.exe
PID 2264 wrote to memory of 1272	2264	rundll32.exe	RUNDLL32.EXE
PID 2264 wrote to memory of 1272	2264	rundll32.exe	RUNDLL32.EXE
PID 2264 wrote to memory of 1272	2264	rundll32.exe	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,mGI2
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png
Filesize
7KB

MD5
9f7165e53ce1f7f109be240a7145d96d

SHA1
08df18922492fe799f75912a100d00f4fb9ed4c4

SHA256
7ace7af33ecddb14b0e5870d9c5be28f0218d106f33fb505154d089a5055e9e9

SHA512
8fed74e748736b36a9ff33340120a85f722651a877b5404ae79eb650b31885d37b43d8102cfd9eeda4033dbf463d324533ced3bb2418e95fa0662291652db448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gujekofbuuhnk.tmp
Filesize
256B

MD5
47de63aca9e42b79be429a58ab3d0c4e

SHA1
b66e011affb9a6c01bd58ca3c208969d62739cba

SHA256
6c5e7cd0ea0347f987064f833d7f01396c1dd578f7e80e0785bfd35b64ef0cec

SHA512
aa31ce697c5887355d25d77563abbe6bda8d6bda4f12c239c1af9cb4cb327ac95aa100be05674edd6f51dc9815c2be23a42a658fcf66c9ece7ffb758d1f724bf

Download Submit
memory/1272-8-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-9-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-5-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-6-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1272-7-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-24-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-19-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/1272-4-0x0000000002320000-0x00000000028DB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-20-0x0000000002320000-0x00000000028DB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-23-0x0000000002FE0000-0x0000000003640000-memory.dmp

Filesize
6.4MB

Download
memory/2264-21-0x0000000002BE0000-0x0000000003240000-memory.dmp

Filesize
6.4MB

Download
memory/2264-0-0x0000000002090000-0x000000000264B000-memory.dmp

Filesize
5.7MB

Download
memory/2264-3-0x0000000002BE0000-0x0000000003240000-memory.dmp

Filesize
6.4MB

Download
memory/2264-2-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2264-1-0x0000000002BE0000-0x0000000003240000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing