Overview

overview

10

Static

static

1

123321.js

windows7-x64

10

123321.js

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123321.js

  • Size

    1.1MB

  • MD5

    fe9946e628607b7d1f5b975bdd863000

  • SHA1

    91fec6fb060ecb82fad71200cd75d11c8a610e40

  • SHA256

    95abee4d159f541d81c84f6eb33a9bba7b5d1d7293e89857390b15498e138e51

  • SHA512

    8882ef3f7629dd0372e4d03f9098c323544f7e38758ccccb0e66e3f3bccf8b90e4672a76a606c5938603d9190899894916975b1ca3ba0eaa067ed57968f682cc

  • SSDEEP

    1536:DrOuB1MsFjui78aIe5TP4IdXYNVjPazZS8qR0/5T/TGXNHY4KQ4au9Pvj1B2gNAA:ALa

Score
10/10
danabotbankerbotnetdiscoveryexecutiontrojan

Malware Config

Extracted

Family

danabot

C2

89.144.25.243

14.123.141.112

91.121.17.109

97.144.123.166

89.144.25.104

37.96.21.198

26.18.85.30

88.132.191.2

106.9.214.152

161.145.156.168
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 1 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 8 IoCs
  • Loads dropped DLL 5 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\123321.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\IdkVEIfkVWId.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\regsvr32.exe
        -s C:\Users\Admin\AppData\Local\Temp\\IdkVEIfkVWId.dll
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll,f0
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll
    Filesize

    284KB

    MD5

    7f73b06d9a8810e735bafaab1c5cc7a5

    SHA1

    8e46c8f4a78e510c30558a25846fa3819c101f3b

    SHA256

    7a218d6ea68caee18ad95c861d057baf0b44d593fe59e2231ed1f0916df5f1d6

    SHA512

    3cd5253f696f54fd025981af21536888f729730246275111159e0c54036a556fa57c6af27ac156bf19f79a381de776384a5ef88472acb9496956bbad932ef9c9

    Download Submit

  • memory/2352-3-0x00000000002A0000-0x00000000002F5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2352-4-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-9-0x00000000001E0000-0x0000000000235000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2896-10-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-11-0x00000000001E0000-0x0000000000235000-memory.dmp

    Filesize

    340KB

    Download