danabot | d73fba668845db5d6521d7eb9741f811fce9d79edf0a0e9c66a0a00b54c916fc

General

Target

ab8b77119439daf598b0f6b0801af58b.exe
Size

2.9MB
MD5

ab8b77119439daf598b0f6b0801af58b
SHA1

1b619621c699dc509bb8aa0a3996b22cc9ee1321
SHA256

d73fba668845db5d6521d7eb9741f811fce9d79edf0a0e9c66a0a00b54c916fc
SHA512

7fbefb921d02253bf748b1da8c726855e5611186c3f2e574c88d5217e750be1a90ca469dc1e4f90ce3b7ef0817f0d6fcf5602f368241c88c9c20b0a0e91f4616
SSDEEP

49152:18CFrvu7i5NcFYbd1fLbHhuJfAkRJWqckw6TvU9lL:1PJ5NcO51fcJfAoWqeSylL

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE	DanabotLoader2021

Executes dropped EXE 1 IoCs

Processes:

hBS_VbW.EXE

pid process

2608 hBS_VbW.EXE
Loads dropped DLL 2 IoCs

Processes:

cmd.exerundll32.exe

pid process

2768 cmd.exe
588 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2548 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2548 taskkill.exe

pid	process
2608	hBS_VbW.EXE

pid	process
2768	cmd.exe
588	rundll32.exe

pid	process
2548	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

description	pid	process
Token: SeDebugPrivilege	2548	taskkill.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

ab8b77119439daf598b0f6b0801af58b.exemshta.execmd.exehBS_VbW.EXEmshta.exe

description	pid	process	target process
PID 2208 wrote to memory of 2744	2208	ab8b77119439daf598b0f6b0801af58b.exe	mshta.exe
PID 2208 wrote to memory of 2744	2208	ab8b77119439daf598b0f6b0801af58b.exe	mshta.exe
PID 2208 wrote to memory of 2744	2208	ab8b77119439daf598b0f6b0801af58b.exe	mshta.exe
PID 2208 wrote to memory of 2744	2208	ab8b77119439daf598b0f6b0801af58b.exe	mshta.exe
PID 2744 wrote to memory of 2768	2744	mshta.exe	cmd.exe
PID 2744 wrote to memory of 2768	2744	mshta.exe	cmd.exe
PID 2744 wrote to memory of 2768	2744	mshta.exe	cmd.exe
PID 2744 wrote to memory of 2768	2744	mshta.exe	cmd.exe
PID 2768 wrote to memory of 2608	2768	cmd.exe	hBS_VbW.EXE
PID 2768 wrote to memory of 2608	2768	cmd.exe	hBS_VbW.EXE
PID 2768 wrote to memory of 2608	2768	cmd.exe	hBS_VbW.EXE
PID 2768 wrote to memory of 2608	2768	cmd.exe	hBS_VbW.EXE
PID 2768 wrote to memory of 2548	2768	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	taskkill.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	taskkill.exe
PID 2608 wrote to memory of 2524	2608	hBS_VbW.EXE	mshta.exe
PID 2608 wrote to memory of 2524	2608	hBS_VbW.EXE	mshta.exe
PID 2608 wrote to memory of 2524	2608	hBS_VbW.EXE	mshta.exe
PID 2608 wrote to memory of 2524	2608	hBS_VbW.EXE	mshta.exe
PID 2524 wrote to memory of 2668	2524	mshta.exe	cmd.exe
PID 2524 wrote to memory of 2668	2524	mshta.exe	cmd.exe
PID 2524 wrote to memory of 2668	2524	mshta.exe	cmd.exe
PID 2524 wrote to memory of 2668	2524	mshta.exe	cmd.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe
PID 2608 wrote to memory of 588	2608	hBS_VbW.EXE	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\ab8b77119439daf598b0f6b0801af58b.exe" ) do taskkill -f -iM "%~NxA"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
6⤵
PID:2668

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
5⤵
- Loads dropped DLL
PID:588

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "ab8b77119439daf598b0f6b0801af58b.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QnEJR.fPC
Filesize
1.2MB

MD5
27e822aa6ac28bcafc97b2cf82d7e96e

SHA1
abdfdb50e19aef134624ffe1c1799e273db55a8d

SHA256
f2fedccab6a1419b0199b4607369ffce3da3e288170f1146cc685367e66df1c2

SHA512
efb06dbb544e8097d08e57379a7724f94507dd6527592e67e4dd516578ed417d91bda18cb5f42057ab5d216a0d620b8cdcadee51a369553d27896341b72f3abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
Filesize
1.8MB

MD5
4ab56e932f5aa355cbcebe51cd01e7a9

SHA1
0ddae71c1631956887cbecb136c89f5714c05f63

SHA256
18ee4647b9d02379e82c1dcc1adaaf2fe04d7a3881d5e26241afd9172c64dc15

SHA512
240b07bba2c6bebe443ee8b8d9a7a082753942ce0ad9d4e1d9e7a792c8bd2580bc20ab12e3d189e89b6da7063530a61115c04be5b704cc2ee4a124bfa4976a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
Filesize
1.3MB

MD5
d2565e916857683d4b7bfaf3bbf42c06

SHA1
a81ce78b21a7ba933ac9b332d0db687ffa2ed887

SHA256
63467c47a7fdf6d339bad9d93cae4683319edab289053674bd5c2edfb5e25f7c

SHA512
3e671bda2d2738ae2346e01c5d4293cf92b077cf694f1ceaf46f8b2179f62cc944dfcfecb84ba4dc5658e5966fbb4487a3b112829342db8c80b528fa8a6cb9b4

Download Submit
\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
Filesize
960KB

MD5
020d98dcbb20c3eaf1a8617d5b14f4d1

SHA1
dd1aa50211aea546c668228f80df8ff28df8fda6

SHA256
0db80d8e70ff53408f4a2fd87b3721c00f521ce98e7b695e87b6c98d9a5d8967

SHA512
1c510661b5f27abc8160ad12e06a5338b4c61c66ec07d802f141e31e4d444f9962cdcda60a57fe563683d701917af76b835a039f34084d4dc34b1919a0b3e2b2

Download Submit
memory/588-13-0x0000000000D20000-0x0000000000DF0000-memory.dmp

Filesize
832KB

Download
memory/588-12-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/588-11-0x00000000003D0000-0x000000000050D000-memory.dmp

Filesize
1.2MB

Download
memory/588-14-0x0000000002F20000-0x0000000002FD4000-memory.dmp

Filesize
720KB

Download
memory/588-15-0x00000000003D0000-0x000000000050D000-memory.dmp

Filesize
1.2MB

Download
memory/588-17-0x0000000002FE0000-0x000000000308D000-memory.dmp

Filesize
692KB

Download
memory/588-18-0x0000000003090000-0x000000000312A000-memory.dmp

Filesize
616KB

Download
memory/588-19-0x0000000003090000-0x000000000312A000-memory.dmp

Filesize
616KB

Download
memory/588-21-0x0000000003090000-0x000000000312A000-memory.dmp

Filesize
616KB

Download
memory/588-22-0x0000000003090000-0x000000000312A000-memory.dmp

Filesize
616KB

Download
memory/588-24-0x0000000002F20000-0x0000000002FD4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing