File name:	FIRSTPROLIVNEW.txt
Full analysis:	https://app.any.run/tasks/fc619b18-41cd-4ff1-8652-16b25f4d91ba
Verdict:	Malicious activity
Threats:	Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 18, 2025, 23:53:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader danabot stealer
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (1165), with CRLF line terminators
MD5:	B3DAD34E5E6A2F70B16CBD5A163B8AE4
SHA1:	1EAB40171C6BFA62F8C17A4DDFA9D2D0F11BF78E
SHA256:	FF5968DEE54D79D8301AFE5B8CFFD1AA23AFE5427D116774CB16567042A535AE
SSDEEP:	3072:SFbc4F7dx+hYDGzHoIutwbHKb/0+o8Wx/uZF2yH1WSg0Re:SB3F7dx+hYazIIAaHw/O8Wx/uLgSa


(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	SecureProtocols
Value: 2688
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost\IndexedDB\Microsoft.AsyncTextService_8wekyb3d8bbwe
Operation:	write	Name:	PerPackageIndexedDBEnabled
Value: 1
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\EmieUserList
Operation:	write	Name:	CacheRelativePath
Value: Microsoft\Internet Explorer\EmieUserList
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ZonesSecurityUpgrade
Value: DB847CA30259DA01
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyServer
Value: 127.0.0.1:23160
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppBroadcast
Operation:	write	Name:	DefaultPlugInEventId
Value: {5504e330-9d3d-44c5-8786-c9b100cd9893}
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CacheLimit
Value: 1
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	DisableIDNPrompt
Value: 0
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CacheLimit
Value: 337920
(PID) Process:	(2996) Dashboard.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
Operation:	write	Name:	EnableWebContentEvaluation
Value: 0

PID	Process	Filename		Type
3524	HGUETURW.exe	C:\Users\admin\AppData\Local\Temp\{A4B11F80-7240-4297-9AEB-A4B914D0ED30}\.ba\flagellator.msg		—
		MD5:—	SHA256:—
7116	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_og2mhqka.vjb.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7116	powershell.exe	C:\Users\admin\AppData\Roaming\HGUETURW.exe		executable
		MD5:C655B98DD20AB5B3DC8961CC31B09D60	SHA256:88EAFDEB69CEF4DB4A96C4BB97EA3BAD3583E8A47AF0346E308E28EC925B0E41
4320	Dashboard.exe	C:\Users\admin\AppData\Roaming\KIIupload\flagellator.msg		—
		MD5:—	SHA256:—
4716	Dashboard.exe	C:\Users\admin\AppData\Local\Temp\1e559a90		—
		MD5:—	SHA256:—
7116	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fluzhay1.mef.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4980	cmd.exe	C:\Users\admin\AppData\Local\Temp\sixunihixgpb		—
		MD5:—	SHA256:—
7116	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF143d27.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7116	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:FCE558C30EEBADBA45FAE1BC291EE241	SHA256:68D20C4F375217909CEA429009DA73192E4E4931FD8F2D6D6C269F4CDF0A9B30
7116	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zig32u4q.04n.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.166:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2380	svchost.exe	GET	200	23.48.23.166:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2380	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6868	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6868	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7116	powershell.exe	GET	200	89.23.96.207:80	http://89.23.96.207/HGUETURW.exe	unknown	—	—	unknown
6224	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.166:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2380	svchost.exe	23.48.23.166:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2380	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.178:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1076	svchost.exe	184.30.18.9:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
crl.microsoft.com	23.48.23.166 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.185.142	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	104.126.37.178 104.126.37.185 104.126.37.128 104.126.37.170 104.126.37.144 104.126.37.139	whitelisted
go.microsoft.com	184.30.18.9	whitelisted
login.live.com	40.126.32.72 40.126.32.138 40.126.32.133 20.190.160.17 20.190.160.22 40.126.32.68 40.126.32.134 20.190.160.20	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

PID	Process	Class	Message
7116	powershell.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
7116	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
7116	powershell.exe	Misc activity	ET INFO Request for EXE via Powershell
7116	powershell.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7116	powershell.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2996	Dashboard.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Danabot TCP Packet
2996	Dashboard.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Danabot TCP Packet

General Info

FIRSTPROLIVNEW.txt

B3DAD34E5E6A2F70B16CBD5A163B8AE4

1EAB40171C6BFA62F8C17A4DDFA9D2D0F11BF78E

FF5968DEE54D79D8301AFE5B8CFFD1AA23AFE5427D116774CB16567042A535AE

3072:SFbc4F7dx+hYDGzHoIutwbHKb/0+o8Wx/uZF2yH1WSg0Re:SB3F7dx+hYazIIAaHw/O8Wx/uLgSa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses AES cipher (POWERSHELL)

Bypass execution policy to execute commands

Stealers network behavior

Actions looks like stealing of personal data

DANABOT has been detected (SURICATA)

Steals credentials from Web Browsers

SUSPICIOUS

Connects to the server without a host name

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Starts itself from another location

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts a Microsoft application from unusual location

Uses WMIC.EXE to obtain physical disk drive information

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Searches for installed software

Loads DLL from Mozilla Firefox

The process verifies whether the antivirus software is installed

Uses RUNDLL32.EXE to load library

Reads the date of Windows installation

Reads the Windows owner or organization settings

INFO

Checks proxy server information

Gets data length (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads security settings of Internet Explorer

Manual execution by a user

Disables trace logs

The sample compiled with english language support

The process uses the downloaded file

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads product name

Reads Environment values

Reads CPU info

Reads Windows Product ID

Creates files or folders in the user directory

Reads the machine GUID from the registry

Creates files in the program directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information