danabot | f41d9ca984b9c4efb0f8c375d5393364376c3e0967417a2fdde1d7fddb048cc2

General

Target

ec56fe2723f85dead33ab380ae1c2b30N.exe
Size

4.4MB
MD5

ec56fe2723f85dead33ab380ae1c2b30
SHA1

f0e046ae1724dd1edda6abbeed36f58c077568e8
SHA256

f41d9ca984b9c4efb0f8c375d5393364376c3e0967417a2fdde1d7fddb048cc2
SHA512

2b3a0ae0dc40aa37c94702fccaf91d5a6d37f4c92c19174de1c92fd7a70d0801cb763222704adc663242e5e46502ba7c323ab9489f75426afd7a2ec50a97f107
SSDEEP

98304:iJl5IIkyXvJE9lp5VjZVv6+cA7Skv2APUo4ZjekK7RR/l2azvMgLAIThFNyM/qR/:UhkyXWdVVvKZsCazNLJ5dqJ6pkG5a

Score

10^/10

danabot 3 banker discovery spyware stealer trojan upx

Malware Config

Extracted

Family

danabot

Version

1755

Botnet

3

C2

172.93.201.39:1024

192.236.192.241:443

167.114.188.34:443

45.147.228.212:443

Attributes

embedded_hash
CF4A570E177DE0D08BB5A391C595CBD7
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2912	RUNDLL32.EXE
3	2912	RUNDLL32.EXE
6	2912	RUNDLL32.EXE
7	2912	RUNDLL32.EXE

Loads dropped DLL 8 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
2912	RUNDLL32.EXE
2912	RUNDLL32.EXE
2912	RUNDLL32.EXE
2912	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2464-0-0x0000000000400000-0x0000000005010000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini	RUNDLL32.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini	RUNDLL32.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2076	2464	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec56fe2723f85dead33ab380ae1c2b30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	rundll32.exe
Token: SeDebugPrivilege	2912	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 3016	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	30
PID 2464 wrote to memory of 2076	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	31
PID 2464 wrote to memory of 2076	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	31
PID 2464 wrote to memory of 2076	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	31
PID 2464 wrote to memory of 2076	2464	ec56fe2723f85dead33ab380ae1c2b30N.exe	31
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32
PID 3016 wrote to memory of 2912	3016	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\ec56fe2723f85dead33ab380ae1c2b30N.exe
"C:\Users\Admin\AppData\Local\Temp\ec56fe2723f85dead33ab380ae1c2b30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EC56FE~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\EC56FE~1.EXE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\EC56FE~1.DLL,XDkj
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 196
  2⤵
  - Program crash
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini

Filesize
67B

MD5
4a3deb274bb5f0212c2419d3d8d08612

SHA1
fa52f823b821155cf0ec527d52ce9b1390ec615e

SHA256
2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38

SHA512
34d1a29c9142fc5a875733c49886ad52a077045831aaa79239712bcd0f312637ba86882a71d37d9d68789ef53e30be5d3470f56d03377cd1eeded98af898ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC56FE~1.DLL

Filesize
3.7MB

MD5
172575774e2f59cc02f10380717e7fb3

SHA1
bea6ca450e7cef5af22605ca1ee74cc816bb9058

SHA256
00cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87

SHA512
25dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\udvfzi.tmp

Filesize
256B

MD5
da45e9f4d47bc236786d4d3d88c92603

SHA1
8dfec5353aecf4f3a01868e03b7fd6284dbd7662

SHA256
432b9751aebc15622d7c52bc4d2c6f32b4995e26ec636e4975d7e5276f03ffef

SHA512
c8fef036895877190752e21cec33d278b953213ac8bac7667daace2549de10b86acf7f77322d45b1d5113c367a4c172cfaa969e9d694803feec1a740a51d0838

Download Submit
memory/2464-43-0x0000000000400000-0x0000000005010000-memory.dmp

Filesize
76.1MB

Download
memory/2464-2-0x0000000005880000-0x0000000005C5C000-memory.dmp

Filesize
3.9MB

Download
memory/2464-1-0x00000000054B0000-0x000000000587A000-memory.dmp

Filesize
3.8MB

Download
memory/2464-3-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2464-45-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2464-0-0x0000000000400000-0x0000000005010000-memory.dmp

Filesize
76.1MB

Download
memory/2912-18-0x0000000002DC0000-0x000000000341E000-memory.dmp

Filesize
6.4MB

Download
memory/2912-20-0x0000000002DC0000-0x000000000341E000-memory.dmp

Filesize
6.4MB

Download
memory/2912-21-0x0000000002DC0000-0x000000000341E000-memory.dmp

Filesize
6.4MB

Download
memory/2912-22-0x0000000002DC0000-0x000000000341E000-memory.dmp

Filesize
6.4MB

Download
memory/2912-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2912-46-0x0000000002350000-0x000000000271B000-memory.dmp

Filesize
3.8MB

Download
memory/3016-12-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000000002DC0000-0x000000000341E000-memory.dmp

Filesize
6.4MB

Download
memory/3016-10-0x0000000002350000-0x000000000271B000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing