danabot | 85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486

General

Target

85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe
Size

5.9MB
MD5

61f67b134cee1f90ff97aeb9230409d7
SHA1

a0297a19487ef861c36485231920be809a759d13
SHA256

85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486
SHA512

5c037018731c5e2439a7e2105bf0bfd8fd4a61a93aa1ad26dfbecbd30c67eca62a6c5b5637793a2988ab5533a6fd83f14c80e6b6c419d0085dd77d4a313f87ee
SSDEEP

98304:8GREmNruWZtR7cOjO2ep2X0IbHcgdwZ+KWZegWtvPC3nM5boKeHpGrpoVtm5G:VREQuotR4OjO2O0XM+degWs3nM5bqHpb

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.3.26.98:443

192.236.146.203:443

142.44.224.16:443

192.161.48.5:443

Attributes

embedded_hash
B2585F6479280F48B64C99F950BBF36D
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2592	RUNDLL32.EXE
3	2592	RUNDLL32.EXE
6	2592	RUNDLL32.EXE
7	2592	RUNDLL32.EXE

Deletes itself 1 IoCs

pid	Process
2796	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2592	RUNDLL32.EXE
2592	RUNDLL32.EXE
2592	RUNDLL32.EXE
2592	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NNULH633\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	rundll32.exe
Token: SeDebugPrivilege	2592	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 1940 wrote to memory of 2796	1940	85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe	28
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29
PID 2796 wrote to memory of 2592	2796	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe
"C:\Users\Admin\AppData\Local\Temp\85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\85FC00~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\85FC00~1.EXE
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\85FC00~1.DLL,ijhSjByrAmj4
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg

Filesize
4KB

MD5
2c8e4b5c21697cc270c2024064c4eb93

SHA1
3a9b25c868cf0b2ce9503c802da78f22f689fc6b

SHA256
b5f9b106011e1d84aa5349ce86b76b46da8bf7c6b5c580b7da27fb97dd1688e8

SHA512
919b9ddf5f2b40083940e509bca9bb089919ab20d6ed1481bcd295ee0b270656c826b64c3364e2e147d6e825adcbbaa663ed23e38e897374e913cee4110b9c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\85FC00~1.DLL

Filesize
5.7MB

MD5
7daab1cfff460632833453f41925141e

SHA1
728b0a67930de5b86ed91b9a953d1101f45bcb7a

SHA256
2175991645153bed680b94b99d5666d7031a7abee2fb108d0c172de7766b88e4

SHA512
a0f1739e9a093554df58bb5ff38ccefb66c0fba3f2d3107c05a48dad4f3f0e1c147500394d4f1ed5ba030737ac07385eb67780729a5512ea0dd78a59622c2615

Download Submit
C:\Users\Admin\AppData\Local\Temp\apdlsak.tmp

Filesize
256B

MD5
a8eeae4ad17833fd026bb5e3acf9e0f3

SHA1
b3e3a03f616bc47d6e9897610ce392e011c52366

SHA256
ba6d35de1cbeb663a23c5644882579498d66e8798ecd4d82308e4f329b416b4e

SHA512
733216be59a6e6fe698bb277755a3ce31f510df67dbf64eb4852564a136faa3cbf35dea6e67ac4e0e6d9824611b5670557523440c32c680204b9b6699a3dd86e

Download Submit
memory/1940-7-0x0000000000400000-0x0000000000DDA000-memory.dmp

Filesize
9.9MB

Download
memory/1940-4-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1940-5-0x0000000000400000-0x0000000000DDA000-memory.dmp

Filesize
9.9MB

Download
memory/1940-0-0x0000000001000000-0x00000000015BD000-memory.dmp

Filesize
5.7MB

Download
memory/1940-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1940-15-0x0000000001000000-0x00000000015BD000-memory.dmp

Filesize
5.7MB

Download
memory/1940-16-0x00000000015C0000-0x0000000001CB7000-memory.dmp

Filesize
7.0MB

Download
memory/1940-2-0x00000000015C0000-0x0000000001CB7000-memory.dmp

Filesize
7.0MB

Download
memory/1940-14-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1940-1-0x0000000001000000-0x00000000015BD000-memory.dmp

Filesize
5.7MB

Download
memory/2592-28-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2592-26-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2592-27-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2592-29-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2592-39-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2592-40-0x00000000023C0000-0x000000000297C000-memory.dmp

Filesize
5.7MB

Download
memory/2592-72-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2592-73-0x0000000003230000-0x0000000003892000-memory.dmp

Filesize
6.4MB

Download
memory/2796-19-0x00000000031A0000-0x0000000003802000-memory.dmp

Filesize
6.4MB

Download
memory/2796-18-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2796-25-0x00000000031A0000-0x0000000003802000-memory.dmp

Filesize
6.4MB

Download
memory/2796-17-0x00000000031A0000-0x0000000003802000-memory.dmp

Filesize
6.4MB

Download
memory/2796-13-0x00000000023C0000-0x000000000297C000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing