danabot | 7b3d7300a6423bd4a27f5071b2eb38c6942dea5127216f105095831edf3b5643

General

Target

CRA_INV_2019_846355810414/CRA_INV_2019_846355810414.vbs
Size

23.2MB
MD5

5dc77349a602cc631e123a686bf4d0c3
SHA1

fef0a2e8bb2a6585bb83abbf5243c3acf0471cfe
SHA256

79caaf23c2436d5d8ba5bba37c4e95022c78840b8278532d2348a5d3baf26418
SHA512

854f1c662dd9955807848d41dcf9898e903c7665f698d93dd59e53dc4575feabdbda381cb9b3d77ed0db82ca4f076e2f63730c9cf497cf6426f512612d96a838
SSDEEP

12288:vR44ehC8yM1Bo1xdZxYx11OsxGLnnY8+ubxihdPt4WzS/nfyDAcXuAcePYADj/Ym:PAwQuTw

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1016	regsvr32.exe	23

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	2340	rundll32.exe
5	2340	rundll32.exe
8	2340	rundll32.exe
9	2340	rundll32.exe
12	2340	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2680	regsvr32.exe
2340	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	WScript.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	30
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_846355810414\CRA_INV_2019_846355810414.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2140

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDOMYX~1.ZIP

Filesize
933KB

MD5
d07e6cb84082f546b2ed8bc22e6960ab

SHA1
48903341f52fe10050342b829b261f43db4c1665

SHA256
7bf0c087b8287b91910e2d98f027bebc9e80d882fa364ee1134d1e1207d251b4

SHA512
823005372592aab689371fe9501bd9f15d0fce33fcb9659d36fa5bf4e0d1ffa2f79c7402c4834208632418ded80ead66f09989cd7c2a33419cf413a27ee23867

Download Submit
memory/2140-9-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2340-33-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-35-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-36-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-39-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-41-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-25-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-27-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-28-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-29-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing