danabot | 6c569d751bad1c483e441d11fddd7163682835c963834014bc22481a7abe1163

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_06052019_00330134265324053041.vbs
Size

1.5MB
MD5

92ecf80bc725fa74181d95ac0838e868
SHA1

7f799efa6d6cb3cfe194d5ca6b046839bf5f2a14
SHA256

d0d6b5440599fb7f047c0f2c933f2291c308d8c755d03d50097d7509005898f0
SHA512

9e00078a0e70f5f7bf5042d9ca3639facc495e8337a05912b0c10ab0b9d6bc7efcd8fcde7f9a313f833f71593eadab642211403449558e0027d52695ef8754ce
SSDEEP

3072:bEBy+XzeuINWCVuvRNZ0/8eywuFgT1Nk0g4gvVuctC76l/ahL/rk1yuJaXXn/kd3:WUIPbDXs10xh

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

17.87.135.29

178.209.51.211

92.19.7.22

192.71.249.51

125.204.180.169

182.91.160.38

35.132.27.153

11.32.49.47

50.64.117.111

121.215.98.191

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
behavioral1/files/0x000b000000014a1f-2.dat	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2492	rundll32.exe
3	2492	rundll32.exe
8	2492	rundll32.exe
11	2492	rundll32.exe
14	2492	rundll32.exe
15	2492	rundll32.exe
20	2492	rundll32.exe
21	2492	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
2316	regsvr32.exe
2492	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exeregsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 2480	1728	WScript.exe	28
PID 1728 wrote to memory of 2480	1728	WScript.exe	28
PID 1728 wrote to memory of 2480	1728	WScript.exe	28
PID 1728 wrote to memory of 2480	1728	WScript.exe	28
PID 1728 wrote to memory of 2480	1728	WScript.exe	28
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2480 wrote to memory of 2316	2480	regsvr32.exe	29
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2492	2316	regsvr32.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_06052019_00330134265324053041.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\bJtNz.dllcHuNVN
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\regsvr32.exe
    -s C:\Users\Admin\AppData\Local\Temp\\bJtNz.dllcHuNVN
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bJtNz.dllcHuNVN,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bJtNz.dllcHuNVN

Filesize
506KB

MD5
bd579a5fd57bc49aa9d2b9787f778f9d

SHA1
625f64e18dd6b5740c64bb4fc6603fcb6bcdea20

SHA256
5ff8d7f9c0ae14d0bd1b1442696dbc39015fbf3d69477d16fe4085f0664d41ba

SHA512
1c5c5fe35788943bdedfa0ce4c22254dd5e870bd16290116b17433a1c3f9854c68f88c19d8a8239d817e339f0e78061513fcd70fe6d20707c247e873e7a3e756

Download Submit
memory/2316-4-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2492-6-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/2492-7-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2492-8-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download
memory/2492-10-0x00000000002E0000-0x000000000036C000-memory.dmp

Filesize
560KB

Download