| File name: | NDD8129652443826_267480.vbs |
| Full analysis: | https://app.any.run/tasks/bd965fea-bd9a-4bbf-990d-6599d979aae6 |
| Verdict: | Malicious activity |
| Threats: | Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method. |
| Analysis date: | September 19, 2019, 02:21:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with no line terminators |
| MD5: | F10862982E769CEEC5902B9F892457FD |
| SHA1: | D2EB9586EDBF8B8C88F4472091AD05415BCE6492 |
| SHA256: | 52B7120321D009CC03F5B1336C184C21728E1645EB6C7E56E354B23184AC3352 |
| SSDEEP: | 49152:q2W7AEwBYbMqrGtOPr61k9uXkfu5KtMoFJQAUJELQjtwGzuDRwhFO0LJ9GFmfhxG:a |
MALICIOUS
Loads dropped or rewritten executable
- regsvr32.exe (PID: 3580)
- rundll32.exe (PID: 2404)
DANABOT was detected
- rundll32.exe (PID: 2404)
SUSPICIOUS
Executed via WMI
- regsvr32.exe (PID: 3580)
Executable content was dropped or overwritten
- WScript.exe (PID: 3032)
Uses RUNDLL32.EXE to load library
- regsvr32.exe (PID: 3580)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2404 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\HCTvYNGmF.txt,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3032 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\NDD8129652443826_267480.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 3580 | C:\Windows\System32\regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\HCTvYNGmF.txt | C:\Windows\System32\regsvr32.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
412
Read events
406
Write events
6
Delete events
0
Modification events
| (PID) Process: | (3032) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3032) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3032) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum |
| Operation: | write | Name: | Implementing |
Value: 1C00000001000000E307090004001300020016001200A30200000000 | |||
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3032 | WScript.exe | C:\Users\admin\AppData\Local\Temp\YasjwrWAS.txt | — | |
MD5:— | SHA256:— | |||
| 3032 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TivQDJRh | text | |
MD5:— | SHA256:— | |||
| 3032 | WScript.exe | C:\Users\admin\AppData\Local\Temp\YasjwrWAS.txt.zip | compressed | |
MD5:— | SHA256:— | |||
| 3032 | WScript.exe | C:\Users\admin\AppData\Local\Temp\HCTvYNGmF.txt | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
2
Threats
8
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2404 | rundll32.exe | 77.247.181.16:443 | — | NForce Entertainment B.V. | NL | malicious |
2404 | rundll32.exe | 37.174.86.127:443 | — | Free Mobile SAS | FR | malicious |
2404 | rundll32.exe | 3.161.209.100:443 | — | — | US | malicious |
2404 | rundll32.exe | 109.117.132.13:443 | — | — | IT | malicious |
2404 | rundll32.exe | 151.236.14.84:443 | — | NForce Entertainment B.V. | NL | malicious |
2404 | rundll32.exe | 195.123.246.209:443 | — | — | UA | malicious |
2404 | rundll32.exe | 30.108.179.181:443 | — | — | US | malicious |
2404 | rundll32.exe | 67.162.242.102:443 | — | Comcast Cable Communications, LLC | US | malicious |
2404 | rundll32.exe | 152.102.131.111:443 | — | Dimension Data AP Kaki Bukit Singapore | SG | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
2404 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |