File name:	mal.vbs
Full analysis:	https://app.any.run/tasks/7475349c-df16-4e19-ae7a-53ab676008fd
Verdict:	Malicious activity
Threats:	Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 24, 2019, 07:15:35
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	danabot trojan stealer
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines, with no line terminators
MD5:	A1F119BE2C55029F4D38F9356A1CC680
SHA1:	17E8A06F9144530F18A4F526D4C5EA7911D9A3A5
SHA256:	7DC49F4A6D3BB583D11AE9F83BA671CB04F3B17A7772BE980CDB99563EDDE75E
SSDEEP:	24576:EIc6FGvWzX6VhZU9svvg5Fw0OYBK8VFs3eX9ANvrlITDWSzuOcs1VOyAF:9O

PID	CMD	Path	Indicators	Parent process
2932	"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\mal.vbs"	C:\Windows\System32\WScript.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2828	"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\MiSBxs.dllFFWjGU	C:\Windows\System32\regsvr32.exe	—	WScript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
4016	C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU,f0	C:\Windows\system32\rundll32.exe		regsvr32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2140	C:\Windows\system32\\rundll32.exe C:\PROGRA~2\F35802F6\EB29C513.dll,f1 C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU@4016	C:\Windows\system32\rundll32.exe		rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3484	C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f2 4B505FDA7C8060A24D406F8A34C5FCCB	C:\Windows\system32\RUNDLL32.EXE		rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2220	"C:\Windows\System32\wusa.exe" /quiet	C:\Windows\System32\wusa.exe	—	rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Update Standalone Installer Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3040	"C:\Windows\System32\wusa.exe" /quiet	C:\Windows\System32\wusa.exe		rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 87 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3532	C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f8	C:\Windows\system32\RUNDLL32.EXE		rundll32.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3376	C:\Windows\system32\svchost.exe -k LocalService	C:\Windows\system32\svchost.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255)
444	winlogon.exe	C:\Windows\System32\winlogon.exe		—
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Logon Application Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

PID	Process	Filename		Type
4016	rundll32.exe	C:\ProgramData\F35802F6\37C8843F		—
		MD5:—	SHA256:—
3484	RUNDLL32.EXE	C:\Users\admin\AppData\Local\Temp\1323875.tmp-shm		—
		MD5:—	SHA256:—
2096	RUNDLL32.EXE	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal		—
		MD5:—	SHA256:—
3484	RUNDLL32.EXE	C:\Users\admin\AppData\Local\Temp\1326109.tmp		—
		MD5:—	SHA256:—
3484	RUNDLL32.EXE	C:\Users\admin\AppData\Local\Temp\1326109.tmp-shm		—
		MD5:—	SHA256:—
2932	WScript.exe	C:\Users\admin\AppData\Local\Temp\MiSBxs.dllFFWjGU		executable
		MD5:69471040BBEEE6C6562DCAC8472A21E9	SHA256:2662A9750ED240770E38E10DDF70C420712DAD7ED05A3CBA2EAC191F9D4F3231
2096	RUNDLL32.EXE	C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\0479eb5a71ca85ee67e6f14f4d9c32c3_90059c37-1320-41a4-b58d-2b75a9850d2f		dbf
		MD5:DFC47158CF82C2F1E67720539A1E44D2	SHA256:8B9C0F374CB1845C0D28D5031B5567F9CD2D3883F513FC792C0D76976D8CAA0C
3484	RUNDLL32.EXE	C:\Users\admin\AppData\Local\Temp\1323859.tmp		sqlite
		MD5:DD9640AF5F03807CF2E3921CBA16AF0D	SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0
2096	RUNDLL32.EXE	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db		sqlite
		MD5:4DE13B53141DE7C42B4E29F6AFF3D0B5	SHA256:445D01150FA4AFCD0357CA53F06A945A2F98FDB8C21E2859939E225434D7DB79
3376	svchost.exe	C:\ProgramData\F35802F6\62C70540\0D9F79ADB8576C86D7528A0C390FF77A.zip		—
		MD5:—	SHA256:—

PID	Process	IP	Domain	ASN	CN	Reputation
4016	rundll32.exe	172.79.113.253:443	—	Frontier Communications of America, Inc.	US	malicious
3376	svchost.exe	195.239.225.127:443	—	PVimpelCom	RU	malicious
4016	rundll32.exe	25.235.71.119:443	—	—	GB	malicious
3376	svchost.exe	95.179.186.57:443	—	Cosmoline Telecommunication Services S.A.	GR	malicious
4016	rundll32.exe	95.179.186.57:443	—	Cosmoline Telecommunication Services S.A.	GR	malicious
3376	svchost.exe	6.100.192.167:443	—	—	US	malicious

PID	Process	Class	Message
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I
4016	rundll32.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Danabot.I

General Info

mal.vbs

A1F119BE2C55029F4D38F9356A1CC680

17E8A06F9144530F18A4F526D4C5EA7911D9A3A5

7DC49F4A6D3BB583D11AE9F83BA671CB04F3B17A7772BE980CDB99563EDDE75E

24576:EIc6FGvWzX6VhZU9svvg5Fw0OYBK8VFs3eX9ANvrlITDWSzuOcs1VOyAF:9O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Connects to CnC server

DANABOT was detected

Registers / Runs the DLL via REGSVR32.EXE

DanaBot detected

Runs injected code in another process

Application was injected by another process

Stealing of credential data

Actions looks like stealing of personal data

Changes settings of System certificates

SUSPICIOUS

Executes scripts

Creates files in the program directory

Uses RUNDLL32.EXE to load library

Executable content was dropped or overwritten

Application launched itself

Creates or modifies windows services

Loads DLL from Mozilla Firefox

Searches for installed software

Creates files in the user directory

Reads the cookies of Mozilla Firefox

Reads the cookies of Google Chrome

Reads Windows Product ID

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings