analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

mal.vbs

Full analysis: https://app.any.run/tasks/7475349c-df16-4e19-ae7a-53ab676008fd
Verdict: Malicious activity
Threats:

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 07:15:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
danabot
trojan
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

A1F119BE2C55029F4D38F9356A1CC680

SHA1:

17E8A06F9144530F18A4F526D4C5EA7911D9A3A5

SHA256:

7DC49F4A6D3BB583D11AE9F83BA671CB04F3B17A7772BE980CDB99563EDDE75E

SSDEEP:

24576:EIc6FGvWzX6VhZU9svvg5Fw0OYBK8VFs3eX9ANvrlITDWSzuOcs1VOyAF:9O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2932)

    • Connects to CnC server

      • rundll32.exe (PID: 4016)
      • svchost.exe (PID: 3376)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 3532)
      • svchost.exe (PID: 3376)
      • winlogon.exe (PID: 444)
      • RUNDLL32.EXE (PID: 2136)
      • RUNDLL32.EXE (PID: 2096)
      • services.exe (PID: 492)
      • explorer.exe (PID: 252)
      • RUNDLL32.EXE (PID: 3812)

    • DANABOT was detected

      • rundll32.exe (PID: 4016)

    • DanaBot detected

      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3532)
      • RUNDLL32.EXE (PID: 3484)
      • winlogon.exe (PID: 444)
      • svchost.exe (PID: 3376)
      • RUNDLL32.EXE (PID: 2136)
      • RUNDLL32.EXE (PID: 2096)
      • services.exe (PID: 492)
      • explorer.exe (PID: 252)
      • RUNDLL32.EXE (PID: 3812)

    • Application was injected by another process

      • winlogon.exe (PID: 444)
      • services.exe (PID: 492)
      • explorer.exe (PID: 252)

    • Runs injected code in another process

      • svchost.exe (PID: 3376)

    • Stealing of credential data

      • RUNDLL32.EXE (PID: 3484)

    • Actions looks like stealing of personal data

      • RUNDLL32.EXE (PID: 3484)

    • Changes settings of System certificates

      • RUNDLL32.EXE (PID: 2096)

  • SUSPICIOUS

    • Application launched itself

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)

    • Creates files in the program directory

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3484)

    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 4016)
      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 4016)
      • WScript.exe (PID: 2932)

    • Executes scripts

      • explorer.exe (PID: 252)

    • Creates or modifies windows services

      • RUNDLL32.EXE (PID: 3532)
      • services.exe (PID: 492)

    • Loads DLL from Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3812)

    • Searches for installed software

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)

    • Creates files in the user directory

      • RUNDLL32.EXE (PID: 2096)

    • Reads Windows Product ID

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Google Chrome

      • RUNDLL32.EXE (PID: 3484)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
15
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject inject wscript.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT rundll32.exe #DANABOT svchost.exe winlogon.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe no specs #DANABOT services.exe explorer.exe #DANABOT rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\mal.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2828"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\MiSBxs.dllFFWjGUC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4016C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU,f0C:\Windows\system32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2140C:\Windows\system32\\rundll32.exe C:\PROGRA~2\F35802F6\EB29C513.dll,f1 C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU@4016C:\Windows\system32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3484C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f2 4B505FDA7C8060A24D406F8A34C5FCCBC:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2220"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
3040"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3532C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f8C:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3376C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
444winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
Total events
471
Read events
406
Write events
65
Delete events
0

Modification events

(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jfpevcg.rkr
Value:
00000000000000000000000003170000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000400000002000000FA8A00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
2
Suspicious files
4
Text files
4
Unknown types
15

Dropped files

PID
Process
Filename
Type
4016rundll32.exeC:\ProgramData\F35802F6\37C8843F
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323875.tmp-shm
MD5:
SHA256:
2096RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp-shm
MD5:
SHA256:
2096RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journalbinary
MD5:9F12A4A97EBC62B38861F99777DE30F3
SHA256:56C9E346AEE476CF481F6A6524595AFB379ECF9521D95E847A0A39B9D5FA0BB4
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323875.tmpsqlite
MD5:0FADC4296E7FD3E437963BB826E6F340
SHA256:B1F9AFD138384F008321699664F69961BB2A36BA0FA1E0A807336696A344836A
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323125.tmpsqlite
MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47
SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1317875.tmpsqlite
MD5:60B51BA20224AC3783E213EA9F55F125
SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254
2096RUNDLL32.EXEC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0479eb5a71ca85ee67e6f14f4d9c32c3_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:DFC47158CF82C2F1E67720539A1E44D2
SHA256:8B9C0F374CB1845C0D28D5031B5567F9CD2D3883F513FC792C0D76976D8CAA0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
23

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4016
rundll32.exe
172.79.113.253:443
Frontier Communications of America, Inc.
US
malicious
3376
svchost.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious
3376
svchost.exe
6.100.192.167:443
US
malicious
4016
rundll32.exe
25.235.71.119:443
GB
malicious
4016
rundll32.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious
3376
svchost.exe
195.239.225.127:443
PVimpelCom
RU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mal.vbs