Analysis

  • max time kernel
    111s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2024 23:02

General

  • Target

    261f8b9ee047f2e9ff3437b55b228c50N.dll

  • Size

    3.7MB

  • MD5

    261f8b9ee047f2e9ff3437b55b228c50

  • SHA1

    b121fbabb9729635dc0f2f9f99c3c8b839d3589e

  • SHA256

    c833f5951c3e22b358388cb256676ecd44f38ae2025c0e48bb717200f5eced09

  • SHA512

    5c3de5b66c8852446fc9d6b4b218ac5073bb9365be387191ef69430027ce59fff0140482d58fb85d7890f64a974bbb236cd66bccd2bf867b1de59eb6e9d3580f

  • SSDEEP

    98304:A0GrDh3DM50y37vVpRMYRF8fmB+XmJsvfS8rw9YXh:ARh450y3zKYRWfY+W6vf3h

Malware Config

Extracted

Family

danabot

Version

1755

Botnet

3

C2

78.138.98.136:443

134.119.186.199:443

192.236.192.238:443

172.93.201.39:443

Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#1
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,Yz0mZA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of AdjustPrivilegeToken
        PID:4292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cplfbfizaucxi.tmp

    Filesize

    256B

    MD5

    6c844def9a13070e416d22bb49c98f26

    SHA1

    610e8acdde24091d8fb7ade257a15962c9f77172

    SHA256

    84491810eba3b7513fa08210f7577c1eebc5dcae456739cd055663de9ff4ccce

    SHA512

    8a96b75851936af882ae4fef755c6bf65e28704f6b1bee0ad86d5b67495822097e26166fa921a7dbf30c7832081fe685486e1f590a3b7f156fc13ed5df83a4ae

  • memory/2572-0-0x0000000002490000-0x000000000285B000-memory.dmp

    Filesize

    3.8MB

  • memory/2572-1-0x0000000002D20000-0x000000000337E000-memory.dmp

    Filesize

    6.4MB

  • memory/2572-2-0x0000000002D20000-0x000000000337E000-memory.dmp

    Filesize

    6.4MB

  • memory/2572-3-0x0000000003590000-0x0000000003591000-memory.dmp

    Filesize

    4KB

  • memory/2572-4-0x0000000002D20000-0x000000000337E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-7-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-5-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-8-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-22-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-9-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-23-0x0000000000400000-0x00000000007CB000-memory.dmp

    Filesize

    3.8MB

  • memory/4292-25-0x0000000002E40000-0x000000000349E000-memory.dmp

    Filesize

    6.4MB

  • memory/4292-6-0x00000000007D0000-0x00000000007D1000-memory.dmp

    Filesize

    4KB