danabot | c833f5951c3e22b358388cb256676ecd44f38ae2025c0e48bb717200f5eced09

General

Target

261f8b9ee047f2e9ff3437b55b228c50N.dll
Size

3.7MB
MD5

261f8b9ee047f2e9ff3437b55b228c50
SHA1

b121fbabb9729635dc0f2f9f99c3c8b839d3589e
SHA256

c833f5951c3e22b358388cb256676ecd44f38ae2025c0e48bb717200f5eced09
SHA512

5c3de5b66c8852446fc9d6b4b218ac5073bb9365be387191ef69430027ce59fff0140482d58fb85d7890f64a974bbb236cd66bccd2bf867b1de59eb6e9d3580f
SSDEEP

98304:A0GrDh3DM50y37vVpRMYRF8fmB+XmJsvfS8rw9YXh:ARh450y3zKYRWfY+W6vf3h

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1755

Botnet

3

C2

78.138.98.136:443

134.119.186.199:443

192.236.192.238:443

172.93.201.39:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2548	RUNDLL32.EXE
3	2548	RUNDLL32.EXE
6	2548	RUNDLL32.EXE
7	2548	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K9RFKP48\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	rundll32.exe
Token: SeDebugPrivilege	2548	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 2092 wrote to memory of 3052	2092	rundll32.exe	30
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32
PID 3052 wrote to memory of 2548	3052	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,n0tU
    3⤵
    - Blocklisted process makes network request
    - Drops desktop.ini file(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png

Filesize
7KB

MD5
9f7165e53ce1f7f109be240a7145d96d

SHA1
08df18922492fe799f75912a100d00f4fb9ed4c4

SHA256
7ace7af33ecddb14b0e5870d9c5be28f0218d106f33fb505154d089a5055e9e9

SHA512
8fed74e748736b36a9ff33340120a85f722651a877b5404ae79eb650b31885d37b43d8102cfd9eeda4033dbf463d324533ced3bb2418e95fa0662291652db448

Download Submit
C:\Users\Admin\AppData\Local\Temp\udvfzi.tmp

Filesize
256B

MD5
25e598a221f536d32226d4d94305beef

SHA1
ee16f1f636881acfb7b25b862a8ea841bec9b805

SHA256
7da9dc01a5ad5b0c81cdc5bc109ad669d6096bdce933174ecd97f0e9db06e2b8

SHA512
b94cc2a07620c5190150938baf2d77090479b842e44a9e7726debae1c36bfe805856465a37ee8b08bc4b6de050d416a451f6798cf3c20ee923c9f487d9f9929a

Download Submit
memory/2548-9-0x0000000002DD0000-0x000000000342E000-memory.dmp

Filesize
6.4MB

Download
memory/2548-6-0x0000000002DD0000-0x000000000342E000-memory.dmp

Filesize
6.4MB

Download
memory/2548-8-0x0000000002DD0000-0x000000000342E000-memory.dmp

Filesize
6.4MB

Download
memory/2548-7-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2548-4-0x0000000002260000-0x000000000262B000-memory.dmp

Filesize
3.8MB

Download
memory/2548-10-0x0000000002DD0000-0x000000000342E000-memory.dmp

Filesize
6.4MB

Download
memory/2548-34-0x0000000002260000-0x000000000262B000-memory.dmp

Filesize
3.8MB

Download
memory/2548-36-0x0000000002DD0000-0x000000000342E000-memory.dmp

Filesize
6.4MB

Download
memory/3052-3-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/3052-5-0x0000000002AA0000-0x00000000030FE000-memory.dmp

Filesize
6.4MB

Download
memory/3052-0-0x0000000002030000-0x00000000023FB000-memory.dmp

Filesize
3.8MB

Download
memory/3052-2-0x0000000002AA0000-0x00000000030FE000-memory.dmp

Filesize
6.4MB

Download
memory/3052-1-0x0000000002AA0000-0x00000000030FE000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing