File name:

mal.vbs

Full analysis: https://app.any.run/tasks/7475349c-df16-4e19-ae7a-53ab676008fd
Verdict: Malicious activity
Threats:

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 07:15:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
danabot
trojan
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

A1F119BE2C55029F4D38F9356A1CC680

SHA1:

17E8A06F9144530F18A4F526D4C5EA7911D9A3A5

SHA256:

7DC49F4A6D3BB583D11AE9F83BA671CB04F3B17A7772BE980CDB99563EDDE75E

SSDEEP:

24576:EIc6FGvWzX6VhZU9svvg5Fw0OYBK8VFs3eX9ANvrlITDWSzuOcs1VOyAF:9O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 4016)
      • RUNDLL32.EXE (PID: 3484)
      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3532)
      • svchost.exe (PID: 3376)
      • winlogon.exe (PID: 444)
      • RUNDLL32.EXE (PID: 2136)
      • services.exe (PID: 492)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3812)
      • explorer.exe (PID: 252)

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2932)

    • DANABOT was detected

      • rundll32.exe (PID: 4016)

    • Connects to CnC server

      • rundll32.exe (PID: 4016)
      • svchost.exe (PID: 3376)

    • DanaBot detected

      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 3532)
      • svchost.exe (PID: 3376)
      • winlogon.exe (PID: 444)
      • services.exe (PID: 492)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 2136)
      • explorer.exe (PID: 252)
      • RUNDLL32.EXE (PID: 3812)

    • Application was injected by another process

      • winlogon.exe (PID: 444)
      • services.exe (PID: 492)
      • explorer.exe (PID: 252)

    • Runs injected code in another process

      • svchost.exe (PID: 3376)

    • Stealing of credential data

      • RUNDLL32.EXE (PID: 3484)

    • Changes settings of System certificates

      • RUNDLL32.EXE (PID: 2096)

    • Actions looks like stealing of personal data

      • RUNDLL32.EXE (PID: 3484)

  • SUSPICIOUS

    • Creates files in the program directory

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3484)

    • Executes scripts

      • explorer.exe (PID: 252)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 4016)
      • WScript.exe (PID: 2932)

    • Uses RUNDLL32.EXE to load library

      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)

    • Application launched itself

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)

    • Creates or modifies windows services

      • services.exe (PID: 492)
      • RUNDLL32.EXE (PID: 3532)

    • Loads DLL from Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3812)

    • Searches for installed software

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Google Chrome

      • RUNDLL32.EXE (PID: 3484)

    • Reads Windows Product ID

      • RUNDLL32.EXE (PID: 3484)

    • Creates files in the user directory

      • RUNDLL32.EXE (PID: 2096)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
15
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject inject wscript.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT rundll32.exe #DANABOT svchost.exe winlogon.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe no specs #DANABOT services.exe explorer.exe #DANABOT rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\mal.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2828"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\MiSBxs.dllFFWjGUC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4016C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU,f0C:\Windows\system32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2140C:\Windows\system32\\rundll32.exe C:\PROGRA~2\F35802F6\EB29C513.dll,f1 C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU@4016C:\Windows\system32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3484C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f2 4B505FDA7C8060A24D406F8A34C5FCCBC:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2220"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
3040"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3532C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f8C:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3376C:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
444winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
Total events
471
Read events
406
Write events
65
Delete events
0

Modification events

(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jfpevcg.rkr
Value:
00000000000000000000000003170000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000400000002000000FA8A00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
2
Suspicious files
4
Text files
4
Unknown types
15

Dropped files

PID
Process
Filename
Type
4016rundll32.exeC:\ProgramData\F35802F6\37C8843F
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323875.tmp-shm
MD5:
SHA256:
2096RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp-shm
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323125.tmpsqlite
MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47
SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3
2140rundll32.exeC:\ProgramData\F35802F6\1DABC5A9text
MD5:F25431B21DBFC65A04AE6DC3DF686B67
SHA256:B184EB03C077B683FFAE16B0326CEBC25139899E0D2398D51928A24311D6B11B
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323875.tmpsqlite
MD5:0FADC4296E7FD3E437963BB826E6F340
SHA256:B1F9AFD138384F008321699664F69961BB2A36BA0FA1E0A807336696A344836A
4016rundll32.exeC:\ProgramData\F35802F6\EB29C513.dllexecutable
MD5:34493199F5A871108A3D7C8B33D4B88B
SHA256:A0D58625C5965CFC099E9940B967502E5068FFA3F936C7687EB600BC41DD1383
2096RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.dbsqlite
MD5:4DE13B53141DE7C42B4E29F6AFF3D0B5
SHA256:445D01150FA4AFCD0357CA53F06A945A2F98FDB8C21E2859939E225434D7DB79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
23

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4016
rundll32.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious
3376
svchost.exe
195.239.225.127:443
PVimpelCom
RU
malicious
3376
svchost.exe
6.100.192.167:443
US
malicious
4016
rundll32.exe
25.235.71.119:443
GB
malicious
3376
svchost.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious
4016
rundll32.exe
172.79.113.253:443
Frontier Communications of America, Inc.
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mal.vbs