analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a57bcefd63d24156e1c2cf0361e726f6d7c2231375a78d328fabbe889775c9df (2)

Full analysis: https://app.any.run/tasks/69b9fae8-1be1-40e2-8b21-cc4315f27814
Verdict: Malicious activity
Threats:

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Analysis date: March 14, 2019, 08:42:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
danabot
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

60C9CAD51DEA98368103104BC7499626

SHA1:

2AA0C800DDB7513DEF356237D17ED50148938971

SHA256:

A57BCEFD63D24156E1C2CF0361E726F6D7C2231375A78D328FABBE889775C9DF

SSDEEP:

1536:Gfbs6wU2vTAJ7GuaYoi1sCaS61gKintuPpzt5qpMsQtf2UGyMNTNpbcdcZ+B5Q/B:U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3828)
      • rundll32.exe (PID: 3516)
      • rundll32.exe (PID: 3980)
      • RUNDLL32.EXE (PID: 184)
      • RUNDLL32.EXE (PID: 3304)
      • svchost.exe (PID: 340)
      • winlogon.exe (PID: 440)
      • RUNDLL32.EXE (PID: 3456)
      • services.exe (PID: 484)
      • RUNDLL32.EXE (PID: 4092)
      • explorer.exe (PID: 116)
      • RUNDLL32.EXE (PID: 1524)
    • Connects to CnC server

      • rundll32.exe (PID: 3516)
    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 3988)
    • DanaBot detected

      • rundll32.exe (PID: 3516)
      • RUNDLL32.EXE (PID: 3304)
      • RUNDLL32.EXE (PID: 184)
      • rundll32.exe (PID: 3980)
      • winlogon.exe (PID: 440)
      • svchost.exe (PID: 340)
      • RUNDLL32.EXE (PID: 4092)
      • services.exe (PID: 484)
      • RUNDLL32.EXE (PID: 3456)
      • explorer.exe (PID: 116)
      • RUNDLL32.EXE (PID: 1524)
    • Application was injected by another process

      • winlogon.exe (PID: 440)
      • services.exe (PID: 484)
      • explorer.exe (PID: 116)
    • Runs injected code in another process

      • svchost.exe (PID: 340)
    • Stealing of credential data

      • RUNDLL32.EXE (PID: 3304)
    • Changes settings of System certificates

      • RUNDLL32.EXE (PID: 3456)
    • Actions looks like stealing of personal data

      • RUNDLL32.EXE (PID: 3304)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 116)
      • regsvr32.exe (PID: 3828)
      • rundll32.exe (PID: 3980)
      • rundll32.exe (PID: 3516)
      • svchost.exe (PID: 340)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3988)
      • rundll32.exe (PID: 3516)
    • Executes scripts

      • explorer.exe (PID: 116)
    • Creates files in the program directory

      • rundll32.exe (PID: 3516)
      • rundll32.exe (PID: 3980)
      • svchost.exe (PID: 340)
      • RUNDLL32.EXE (PID: 3456)
      • RUNDLL32.EXE (PID: 3304)
    • Application launched itself

      • rundll32.exe (PID: 3516)
      • rundll32.exe (PID: 3980)
    • Searches for installed software

      • RUNDLL32.EXE (PID: 3304)
    • Creates or modifies windows services

      • services.exe (PID: 484)
      • RUNDLL32.EXE (PID: 184)
    • Loads DLL from Mozilla Firefox

      • RUNDLL32.EXE (PID: 3304)
      • RUNDLL32.EXE (PID: 3456)
      • RUNDLL32.EXE (PID: 1524)
    • Reads the cookies of Mozilla Firefox

      • RUNDLL32.EXE (PID: 3304)
    • Reads Windows Product ID

      • RUNDLL32.EXE (PID: 3304)
    • Reads the cookies of Google Chrome

      • RUNDLL32.EXE (PID: 3304)
    • Creates files in the user directory

      • RUNDLL32.EXE (PID: 3456)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
17
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject inject inject rundll32.exe no specs explorer.exe no specs wscript.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT rundll32.exe #DANABOT svchost.exe #DANABOT winlogon.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe no specs #DANABOT services.exe #DANABOT explorer.exe #DANABOT rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\a57bcefd63d24156e1c2cf0361e726f6d7c2231375a78d328fabbe889775c9df (2)C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3988"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\loyo.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3828"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp/ofoM.dllC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\ofoM.dll,f0C:\Windows\system32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980C:\Windows\system32\\rundll32.exe C:\PROGRA~2\F35802F6\EB29C513.dll,f1 C:\Users\admin\AppData\Local\Temp\ofoM.dll@3516C:\Windows\system32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3304C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f2 4B505FDA7C8060A24D406F8A34C5FCCBC:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4080"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3716"C:\Windows\System32\wusa.exe" /quietC:\Windows\System32\wusa.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
87
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
184C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\F35802F6\EB29C513.dll,f8C:\Windows\system32\RUNDLL32.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 707
Read events
1 337
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
5
Text files
4
Unknown types
15

Dropped files

PID
Process
Filename
Type
3516rundll32.exeC:\ProgramData\F35802F6\37C8843F
MD5:
SHA256:
3304RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1809109.tmp-shm
MD5:
SHA256:
3456RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
3456RUNDLL32.EXEC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
MD5:
SHA256:
3304RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1802875.tmpsqlite
MD5:60B51BA20224AC3783E213EA9F55F125
SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254
3304RUNDLL32.EXEC:\Users\admin\AppData\Local\Temp\1802453.tmpsqlite
MD5:60B51BA20224AC3783E213EA9F55F125
SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254
3980rundll32.exeC:\ProgramData\F35802F6\CB6A39B2\5C2ABCDD2AF642361C15379E7F621DA1binary
MD5:6D9C01AB225E7F0EB576A440DCEB7D17
SHA256:DD49FE3B7F67359EBECB180C1F7DC9DDA0ECE36FC32D0336DDC32C82C7FFAEFE
116explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.dbbinary
MD5:A544299EBCF6CBB9A7E0218C40D8C0E4
SHA256:D9E3D069797151D63A6FCFD114EB2B78BBB1633370D23AADBA33F84480454639
3988WScript.exeC:\Users\admin\AppData\Local\Temp\ofoM.dllexecutable
MD5:8D646248A3E7B4DC2E7897CAE3AC2DFB
SHA256:60F896B51E06D43BB0D48D539BCAC2555AB3F4E6428CF02745ABD3EB3749A18F
340svchost.exeC:\ProgramData\F35802F6\1DABC5A9text
MD5:ABF9714187F87C2581194FD5720157AE
SHA256:5C6D1F8EB32DF09A8EC09812D1D41B1F1EBD59FF17A70D255393E9EC6190FB3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3516
rundll32.exe
214.161.108.156:443
DoD Network Information Center
US
malicious
3516
rundll32.exe
62.187.103.29:443
GB
malicious
340
svchost.exe
158.35.168.121:443
AT&T Services, Inc.
US
malicious
3516
rundll32.exe
89.144.25.104:443
GHOSTnet GmbH
DE
malicious
340
svchost.exe
132.0.199.51:443
DoD Network Information Center
US
malicious
3516
rundll32.exe
153.182.78.20:443
NTT Communications Corporation
JP
malicious
340
svchost.exe
36.129.215.52:443
Guangdong Mobile Communication Co.Ltd.
CN
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3516
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
1 ETPRO signatures available at the full report
No debug info