File name:

mal.vbs

Full analysis: https://app.any.run/tasks/7475349c-df16-4e19-ae7a-53ab676008fd
Verdict: Malicious activity
Threats:

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 07:15:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
danabot
trojan
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

A1F119BE2C55029F4D38F9356A1CC680

SHA1:

17E8A06F9144530F18A4F526D4C5EA7911D9A3A5

SHA256:

7DC49F4A6D3BB583D11AE9F83BA671CB04F3B17A7772BE980CDB99563EDDE75E

SSDEEP:

24576:EIc6FGvWzX6VhZU9svvg5Fw0OYBK8VFs3eX9ANvrlITDWSzuOcs1VOyAF:9O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2932)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 3532)
      • svchost.exe (PID: 3376)
      • services.exe (PID: 492)
      • winlogon.exe (PID: 444)
      • RUNDLL32.EXE (PID: 2136)
      • RUNDLL32.EXE (PID: 2096)
      • explorer.exe (PID: 252)
      • RUNDLL32.EXE (PID: 3812)

    • Connects to CnC server

      • rundll32.exe (PID: 4016)
      • svchost.exe (PID: 3376)

    • DANABOT was detected

      • rundll32.exe (PID: 4016)

    • DanaBot detected

      • rundll32.exe (PID: 2140)
      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 3532)
      • svchost.exe (PID: 3376)
      • winlogon.exe (PID: 444)
      • RUNDLL32.EXE (PID: 2136)
      • RUNDLL32.EXE (PID: 2096)
      • services.exe (PID: 492)
      • RUNDLL32.EXE (PID: 3812)
      • explorer.exe (PID: 252)

    • Stealing of credential data

      • RUNDLL32.EXE (PID: 3484)

    • Runs injected code in another process

      • svchost.exe (PID: 3376)

    • Application was injected by another process

      • winlogon.exe (PID: 444)
      • services.exe (PID: 492)
      • explorer.exe (PID: 252)

    • Actions looks like stealing of personal data

      • RUNDLL32.EXE (PID: 3484)

    • Changes settings of System certificates

      • RUNDLL32.EXE (PID: 2096)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 252)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2932)
      • rundll32.exe (PID: 4016)

    • Uses RUNDLL32.EXE to load library

      • regsvr32.exe (PID: 2828)
      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)

    • Creates files in the program directory

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)
      • svchost.exe (PID: 3376)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3484)

    • Application launched itself

      • rundll32.exe (PID: 4016)
      • rundll32.exe (PID: 2140)

    • Searches for installed software

      • RUNDLL32.EXE (PID: 3484)

    • Creates or modifies windows services

      • services.exe (PID: 492)
      • RUNDLL32.EXE (PID: 3532)

    • Loads DLL from Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)
      • RUNDLL32.EXE (PID: 2096)
      • RUNDLL32.EXE (PID: 3812)

    • Creates files in the user directory

      • RUNDLL32.EXE (PID: 2096)

    • Reads Windows Product ID

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Google Chrome

      • RUNDLL32.EXE (PID: 3484)

    • Reads the cookies of Mozilla Firefox

      • RUNDLL32.EXE (PID: 3484)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
15
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject inject wscript.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT rundll32.exe #DANABOT svchost.exe winlogon.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe no specs #DANABOT services.exe explorer.exe #DANABOT rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
444winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
492C:\Windows\system32\services.exeC:\Windows\System32\services.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
2096C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f7C:\Windows\system32\RUNDLL32.EXE
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2136C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f3C:\Windows\system32\RUNDLL32.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2140C:\Windows\system32\\rundll32.exe C:\PROGRA~2\F35802F6\EB29C513.dll,f1 C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU@4016C:\Windows\system32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2220"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
2828"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\MiSBxs.dllFFWjGUC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2932"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\mal.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3040"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
471
Read events
406
Write events
65
Delete events
0

Modification events

(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\jfpevcg.rkr
Value:
00000000000000000000000003170000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(252) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000400000002000000FA8A00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2932) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2140) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3484) RUNDLL32.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
2
Suspicious files
4
Text files
4
Unknown types
15

Dropped files

PID
Process
Filename
Type
4016rundll32.exeC:\ProgramData\F35802F6\37C8843F
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1323875.tmp-shm
MD5:
SHA256:
2096RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1326109.tmp-shm
MD5:
SHA256:
2932WScript.exeC:\Users\admin\AppData\Local\Temp\pDUOAWKOdKuZ.zxacLjiRXVOtext
MD5:
SHA256:
3484RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1317875.tmpsqlite
MD5:
SHA256:
2096RUNDLL32.EXEC:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0479eb5a71ca85ee67e6f14f4d9c32c3_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:
SHA256:
3376svchost.exeC:\ProgramData\F35802F6\62C70540\0D9F79ADB8576C86D7528A0C390FF77A.zip
MD5:
SHA256:
3376svchost.exeC:\ProgramData\F35802F6\1DABC5A9text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
23

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4016
rundll32.exe
172.79.113.253:443
Frontier Communications of America, Inc.
US
malicious
4016
rundll32.exe
25.235.71.119:443
GB
malicious
4016
rundll32.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious
3376
svchost.exe
195.239.225.127:443
PVimpelCom
RU
malicious
3376
svchost.exe
6.100.192.167:443
US
malicious
3376
svchost.exe
95.179.186.57:443
Cosmoline Telecommunication Services S.A.
GR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mal.vbs