danabot | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
137s
max time network
137s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22/02/2025, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

danabot banker botnet discovery trojan

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral1/files/0x0007000000027ded-480.dat	family_danabot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
73	3272	rundll32.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
51	5800	msedge.exe
51	5800	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
232	DanaBot.exe

Loads dropped DLL 4 IoCs

pid	Process
5384	regsvr32.exe
5384	regsvr32.exe
3272	rundll32.exe
3272	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	232	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5800	msedge.exe
5800	msedge.exe
5032	msedge.exe
5032	msedge.exe
1560	identity_helper.exe
1560	identity_helper.exe
5344	msedge.exe
5344	msedge.exe
2732	msedge.exe
2732	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3956	5032	msedge.exe	83
PID 5032 wrote to memory of 3956	5032	msedge.exe	83
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5052	5032	msedge.exe	84
PID 5032 wrote to memory of 5800	5032	msedge.exe	85
PID 5032 wrote to memory of 5800	5032	msedge.exe	85
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86
PID 5032 wrote to memory of 4740	5032	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff5e6246f8,0x7fff5e624708,0x7fff5e624718
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:3456
- C:\Users\Admin\Downloads\DanaBot.exe
  "C:\Users\Admin\Downloads\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@232
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5384
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 472
    3⤵
    - Program crash
    PID:2284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 232 -ip 232
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5e1b2802-8523-4772-a0e2-e7620ffde809.tmp

Filesize
10KB

MD5
94caeb51968eec58fdb181e3e6aea2ab

SHA1
c4ef8b32f2db1ef6a7dd9a59c9338d43732e866c

SHA256
934cbabc0150c227c20bf537a4294efce756aaca4492595bbf439aa3a90f9d34

SHA512
42d6cfd91863c9032cc566e14abaeb09ce6e5709424f30b458ebde06b461856ff255692b9148de0cfcf2b223665ceee6ce2538713e90a6609701f49e1041391d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed05621b2a1e4a5665da21bfaf333a47

SHA1
4cd83a338b9bb2940b9cd9c3c8cc6a7638556579

SHA256
bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a

SHA512
775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7a1db52aee336d6babb258dcb65b9155

SHA1
1acd904ce998c6a0dade71a325d92a9932ccf716

SHA256
46bf1402c334d276a617a0c0c4b767df9d92550375239147b7cd11eda32f5527

SHA512
10b1a874042f1bb1e3b7d1293dda159c9726cd30a2330f1c88b9401b1e26011b814f9a8c83f4b3327bbe904298d0aead8f974747305328652128886f57dd8008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
eaa41e447d34ee9c6bea6cf1ecc64ebd

SHA1
a2a47395a06103cdcd85d3f247fd3b55bbc44d3b

SHA256
62b4fb5acfee3d2deb0d1390df26172cfa2b5a17289541d7e7caa2af7c5d379c

SHA512
5cd96c25eca6189037a78cf9cf4fc93771bd939420c27e9e6fb0144c3c738d3b6c1d69bdfc1bd98c140a40dab0cedee34b37adfed69fc79e5a8c601140376844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a026e2bad29857a692a97c5adcb786c1

SHA1
ece64944d64fd54b5ceb81b0ab528c478413eeba

SHA256
1e918c8e148642130182771164330b511a866f02c3e76923f566efa6a8601475

SHA512
b5a03b2582debcb7f5685bb1acfa22f35a3d7f252eca03a0d47a11428f3c06d709b26ef250b5a0b0ebf65e5044382a2961da0729c3d403a01c496d176fa7490f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b8aafcfde49a758d6f05217ae01248c4

SHA1
5d932f028f1e32181fb04adcef81cbd40ccf168b

SHA256
4c436093a0cc8d6d00eab67cfb21ef92b93494d9d3f3b030f170ddd442c7c1e7

SHA512
a683875a95294d85c1a5c3e9a4e0d76f7bbb66ad0e4f8b4d293bdda7a50db0fe36a7ff83b2668e31ff01a1031b746887fa74956e386e347036eb72143a8dc069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d11823a22f9b8a6fcfbfecba46ece94

SHA1
c97eb22e03e1f4492a04fe5d2d2ffdfd0937c879

SHA256
86ed19214cdc4e37ff42ebf72f10a534aaba4d5e6c2a58d389409060a3e17c90

SHA512
d87f7713e710f971a6a738ba4fa1a035edf164a7a4c386a3b54b90e5d02ed3dfb95c70ccf0b760c2fa0a8c3195dca4d2488315b0322588b91faaf8a9855bc069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e06e0eabe13da96c0555c9f41f27680f

SHA1
aeb0ff83a4000fc3425afae51862c468d640d773

SHA256
41cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368

SHA512
6fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
80e228e6c3f831a101e380d71a429c6c

SHA1
15d93128b01b3bdc42cdd200df92ca8f781f2ad4

SHA256
70c58e9d8565782775340c11e385149f29def83dbbd287a97306c72cb0c7230f

SHA512
e84657477bbf8b2f2dbf5037cdaadd255b16883e6405d8fc241687b93716ae4e0c29020e50f65f826143fefd534676023b8121e15ac8147482e5e4f442fc1cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b86a9711959eff2edf3d56e1d696a71

SHA1
2ee98226fb0b6e64af7ed19b287f1c8e86a81f58

SHA256
1b02278926e70acb9b1c7e4064f724e4b468f1fab0a6a1dd24139134ebe27796

SHA512
7c85949f5641ad99b4fc96dbb8d2ad35ccddb2cc982fdbd847e8ff876f9e3c9768bea0ceb317a886944f57f79afe9b53447736f6063f787ff92baacbfc908386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de9641b099d7ee6cc480bd815cfe79a6

SHA1
081a957c040b629f4c7cdcd2b4756cb041cf9b0f

SHA256
a22cdc30e792f78f73b9b3ab96eea8309c1ed79805eb5fcd62771062f5f29a26

SHA512
64174694f4020520a12b2441d84ad3506b3dbe0cfde7c413e028e805ec9b4e5da7d74d2f505a7da9ea4f40327dab89b897335944447a930c7232a087301b6e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aff5ee3011ab2a5860012bce336eef30

SHA1
f22eb2b4ac8e512dddb7c2c3e885535cf3714fcc

SHA256
da4bfeef895c35ccc50d579c4ad381b5e689fdd8ec97e3384c04b080c477dd58

SHA512
06010c1008c733abef1db85c691a1f835579171f46e44ce8d1c3c59554b8bef06cb8b57999fbe17a2b6866dae7f876e877733d0b3246683ee2d28e4f96a135b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2dcf06452d6396fe48edf5834b792a9f

SHA1
6ac59477207d3c34fc0af73ae4197d687b5f5758

SHA256
167918a910b1057e77a79ad37a8b1b270144ea567ae5327ca1772afdc12aa90d

SHA512
68f832b98a21b1022d6a0c5fab04730ed6812ccf9508e7bdf3376428a8f9fb5aeda9e3308363f9654171a66b1e57bcbbee6a68056d72f85e8d3a6dedca56588e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e89104e1e2c5e878d9ce1709d8e5275

SHA1
c3136114ef73ec7a5adf4585566363992abbba6f

SHA256
6aa69921b90c198258f43aff086562e5063db300c335700307677d1efefe775b

SHA512
f74445e638c126bb571975f1155f8002778eed6191c1c89d9f75556b827261232c45f80b46afe1e53bed252f53bb0fc807e0637fa31d4f7a9901ef3b4397398c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c6ab.TMP

Filesize
874B

MD5
5784d3e757557f5d3738894e52f2976f

SHA1
55ea410fd1f7bd9ebbb72f5d2dff531291b9322e

SHA256
f2a55cc47f65c0c0613424c72386dcc1a5aff369c07cf9103b9ab905c7242de4

SHA512
e154300423b03ab8e66864edf89fd6e167a862f4055cc7325f70319f3bf7a04a348a60ef3e21cb913df0b6a8208079081a61f54c41b69e7d6ef5934a06746f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3c514285fb8a5d1b8e1bc24ba19ad9a

SHA1
a1e6d9e57d99cad93400001f7a47b6f1c3380d0a

SHA256
29ca85b05830b7c219d7d51a272afc9b285e2211c7c70821aaf1d1adeee959c8

SHA512
775fbb1aac8bc187b98e82421f95a746d29a894a3d791e08153df27e2e4179327e618bdb278cd7284c804cc222e0268cd0aa462a248db6208a7347c37e5c0891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53e328d2ecfe3ed8f83e9793e6bd7417

SHA1
08805532af46b6287e77b9ad51025484d4bbdcc0

SHA256
8490c542e428df26a14c44eec4cc099bcbcf02a842639ae71dc2537a054856d2

SHA512
eaf6c1c83a5a479a88e2f0d3d46fcbdac5cec7283b34ffc52bd8b38627f091fbc540952de2b76c221b1aad1ed1dae94d67672b9ceb31a0dec4bb1a26a7e1bd7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3c77753066ed8e455e691956805b9ec

SHA1
f9827b961104d6d66119f91ea198e5d56c2a72c7

SHA256
553a897a33bd60d8e2b5e572a71e9f13d1dcfe1adde4d2ba6bc616e12aea0c1f

SHA512
f35a0d10706350b48a8fc65091befb2e0e2d437ec732deeb306747f06572c8c8e477375ce7ee2322cf408adf86cd44b0d478dce36da36630853cd3d21f1ddbb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f05a376783c4bf1fe81bd720c8e53f11

SHA1
77e3b4a9bcc71c38134dba751e5dd9bb9baa788d

SHA256
ef5fe9c94759a0ab0728260a768ceee813acaf009aa2e0c3ed042f31d9ce9d60

SHA512
5f9c153b62439881f9b71bd5b5b422a8a9a6fc2924e75d8f289fef60e5749f6647563dc316d7e4c2bb1c94e7fe9ba5501d6c3756368ba60649b20f35f4b19fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
60ad66aec0f1071770421f002db57599

SHA1
08e4d7883d7ac9edef97176f2606fb5dfa892cc5

SHA256
3bd88e380c801dfd8284b07ea93804d917a12b6140ec579a217f9c598f8d331f

SHA512
a04096ca9d66af3099b70a791dbdadff22d040dbab2c4385a44653830445bbc3eef8d1f7897fe428b5e4bbbd28673db071f2c38b2c45ac724b774286d0c19c3d

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\Emotet.zip

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 356021.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 663697.crdownload

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
memory/232-487-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3272-486-0x00000000022F0000-0x000000000255B000-memory.dmp

Filesize
2.4MB

Download
memory/5384-483-0x0000000002E80000-0x00000000030EB000-memory.dmp

Filesize
2.4MB

Download