danabot | 6c569d751bad1c483e441d11fddd7163682835c963834014bc22481a7abe1163

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_06052019_00330134265324053041.vbs
Size

1.5MB
MD5

92ecf80bc725fa74181d95ac0838e868
SHA1

7f799efa6d6cb3cfe194d5ca6b046839bf5f2a14
SHA256

d0d6b5440599fb7f047c0f2c933f2291c308d8c755d03d50097d7509005898f0
SHA512

9e00078a0e70f5f7bf5042d9ca3639facc495e8337a05912b0c10ab0b9d6bc7efcd8fcde7f9a313f833f71593eadab642211403449558e0027d52695ef8754ce
SSDEEP

3072:bEBy+XzeuINWCVuvRNZ0/8eywuFgT1Nk0g4gvVuctC76l/ahL/rk1yuJaXXn/kd3:WUIPbDXs10xh

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

17.87.135.29

178.209.51.211

92.19.7.22

192.71.249.51

125.204.180.169

182.91.160.38

35.132.27.153

11.32.49.47

50.64.117.111

121.215.98.191

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bJtNz.dllcHuNVN	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
14	1444	rundll32.exe
31	1444	rundll32.exe
34	1444	rundll32.exe
36	1444	rundll32.exe
40	1444	rundll32.exe
47	1444	rundll32.exe
53	1444	rundll32.exe
57	1444	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

456 regsvr32.exe
1444 rundll32.exe
1444 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
456	regsvr32.exe
1444	rundll32.exe
1444	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3968 wrote to memory of 4128	3968	WScript.exe	regsvr32.exe
PID 3968 wrote to memory of 4128	3968	WScript.exe	regsvr32.exe
PID 4128 wrote to memory of 456	4128	regsvr32.exe	regsvr32.exe
PID 4128 wrote to memory of 456	4128	regsvr32.exe	regsvr32.exe
PID 4128 wrote to memory of 456	4128	regsvr32.exe	regsvr32.exe
PID 456 wrote to memory of 1444	456	regsvr32.exe	rundll32.exe
PID 456 wrote to memory of 1444	456	regsvr32.exe	rundll32.exe
PID 456 wrote to memory of 1444	456	regsvr32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_06052019_00330134265324053041.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\bJtNz.dllcHuNVN
2⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\\bJtNz.dllcHuNVN
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bJtNz.dllcHuNVN,f0
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bJtNz.dllcHuNVN
Filesize
506KB

MD5
bd579a5fd57bc49aa9d2b9787f778f9d

SHA1
625f64e18dd6b5740c64bb4fc6603fcb6bcdea20

SHA256
5ff8d7f9c0ae14d0bd1b1442696dbc39015fbf3d69477d16fe4085f0664d41ba

SHA512
1c5c5fe35788943bdedfa0ce4c22254dd5e870bd16290116b17433a1c3f9854c68f88c19d8a8239d817e339f0e78061513fcd70fe6d20707c247e873e7a3e756

Download Submit
memory/456-4-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1444-7-0x0000000002270000-0x00000000022FC000-memory.dmp

Filesize
560KB

Download
memory/1444-8-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1444-9-0x0000000002270000-0x00000000022FC000-memory.dmp

Filesize
560KB

Download
memory/1444-11-0x0000000002270000-0x00000000022FC000-memory.dmp

Filesize
560KB

Download