danabot | 56e5141838117a72da51f61f1e3e83b23ac9ba26afb3bd712ebb55fff6482efb

General

Target

CRA_INV_2019_552913887418/CRA_INV_2019_552913887418.vbs
Size

24.2MB
MD5

3818ef620d826c62136f450c32429ae5
SHA1

1297b772ec42586ce1c6db624e8948cbe265710d
SHA256

38c668144becb1199196394ad78df6694c86597a283aea61bd036dc1da2eef62
SHA512

9789441d9a76f62213ce9889422241c6732ec21ab4ddfff4b596136d327d393c03f8c2f0973b07fd88c7d21c1149d1418d3c153b6b802562ad4b9035ebe78c00
SSDEEP

6144:Xuqc48TgRr+iPNUvl2bXZF3HCqyURNcZV0N5pCO4Mt6pQi:RXr9PNi2bHKPQi

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2824	regsvr32.exe	28

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow	pid	Process
2	2432	rundll32.exe
5	2432	rundll32.exe
8	2432	rundll32.exe
9	2432	rundll32.exe
12	2432	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
2632	regsvr32.exe
2432	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid	Process
1968	WScript.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	Process	procid_target
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2536 wrote to memory of 2632	2536	regsvr32.exe	32
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33
PID 2632 wrote to memory of 2432	2632	regsvr32.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_552913887418\CRA_INV_2019_552913887418.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1968

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BNEVJG~1.ZIP

Filesize
933KB

MD5
a32e3f77afecc9e72f93bdad4187b007

SHA1
0cd09218b4b8d29c0d4cf14fa07dbe49b743f9ee

SHA256
e354af2168426b078197c17e22552a6b1e6fbae28467d86be2f6e6415505ac6f

SHA512
d320e78d1c5da1e2f4fc7fd9e85457e695c6cb6f25302af21de65eb2adca73a167de6602b8f55771fbbbcbdf42f5263657b5ad68555c825efa8055c099237bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt

Filesize
1.1MB

MD5
f8cf63fb5f35fb0a72aeffcf1dc27aef

SHA1
bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb

SHA256
dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9

SHA512
f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f

Download Submit
memory/1968-9-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/2432-33-0x0000000001E70000-0x000000000289A000-memory.dmp

Filesize
10.2MB

Download
memory/2432-35-0x0000000001E70000-0x000000000289A000-memory.dmp

Filesize
10.2MB

Download
memory/2432-36-0x0000000001E70000-0x000000000289A000-memory.dmp

Filesize
10.2MB

Download
memory/2432-39-0x0000000001E70000-0x000000000289A000-memory.dmp

Filesize
10.2MB

Download
memory/2432-43-0x0000000001E70000-0x000000000289A000-memory.dmp

Filesize
10.2MB

Download
memory/2632-25-0x0000000001F30000-0x000000000295A000-memory.dmp

Filesize
10.2MB

Download
memory/2632-28-0x0000000002045000-0x000000000204A000-memory.dmp

Filesize
20KB

Download
memory/2632-27-0x0000000001F30000-0x000000000295A000-memory.dmp

Filesize
10.2MB

Download
memory/2632-30-0x0000000001F30000-0x000000000295A000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads