danabot | 7b3d7300a6423bd4a27f5071b2eb38c6942dea5127216f105095831edf3b5643

General

Target

CRA_INV_2019_846355810414/CRA_INV_2019_846355810414.vbs
Size

23.2MB
MD5

5dc77349a602cc631e123a686bf4d0c3
SHA1

fef0a2e8bb2a6585bb83abbf5243c3acf0471cfe
SHA256

79caaf23c2436d5d8ba5bba37c4e95022c78840b8278532d2348a5d3baf26418
SHA512

854f1c662dd9955807848d41dcf9898e903c7665f698d93dd59e53dc4575feabdbda381cb9b3d77ed0db82ca4f076e2f63730c9cf497cf6426f512612d96a838
SSDEEP

12288:vR44ehC8yM1Bo1xdZxYx11OsxGLnnY8+ubxihdPt4WzS/nfyDAcXuAcePYADj/Ym:PAwQuTw

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1016 regsvr32.exe
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 2340 rundll32.exe
5 2340 rundll32.exe
8 2340 rundll32.exe
9 2340 rundll32.exe
12 2340 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2680 regsvr32.exe
2340 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

2140 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1016	regsvr32.exe

flow	pid	process
2	2340	rundll32.exe
5	2340	rundll32.exe
8	2340	rundll32.exe
9	2340	rundll32.exe
12	2340	rundll32.exe

pid	process
2680	regsvr32.exe
2340	rundll32.exe

pid	process
2140	WScript.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2556 wrote to memory of 2680	2556	regsvr32.exe	regsvr32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe
PID 2680 wrote to memory of 2340	2680	regsvr32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_846355810414\CRA_INV_2019_846355810414.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2140

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KNStDCVv.txt
Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDOMYX~1.ZIP
Filesize
933KB

MD5
d07e6cb84082f546b2ed8bc22e6960ab

SHA1
48903341f52fe10050342b829b261f43db4c1665

SHA256
7bf0c087b8287b91910e2d98f027bebc9e80d882fa364ee1134d1e1207d251b4

SHA512
823005372592aab689371fe9501bd9f15d0fce33fcb9659d36fa5bf4e0d1ffa2f79c7402c4834208632418ded80ead66f09989cd7c2a33419cf413a27ee23867

Download Submit
memory/2140-9-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2340-33-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-35-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-36-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-39-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2340-41-0x0000000002250000-0x0000000002C7A000-memory.dmp

Filesize
10.2MB

Download
memory/2680-25-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-27-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-28-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download
memory/2680-29-0x00000000025D0000-0x0000000002FFA000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing