#Danabot_banker_190918

1. #IOC #OptiData #VR #js #WSH #lzh #Danabot #Banking #Trojan
2.  
3. SHA-256 43ea493d699d91a97c396d822fd73fdb60581c0628ee00f44b6657d117cb9455
4. File name Рахунки от 18.09.18p Пластикс-Украина.zip.lzh (LHarc 1.x/ARX archive data [lh0])
5. File size 2.37 MB
6.  
7. SHA-256 a4dd700679716fa87780c90e7d849ca473d2b643ad8644afab10b0728224ce41
8. File name 18.09.2018.doc (CLEAN)
9. File size 34 KB
10.  
11. SHA-256 ed928077847f780af36a9198d1e3ef1c5b1dd17739a50d5560e1f2094435e9db
12. File name 45.xls.js
13. File size 2.33 MB
14.  
15. cat 45.xls.js | grep -o "q.WriteText(h('[a-z0-9]*'));" | sed "s|q.WriteText(h('\(.*\)'));|\1|g" | tr -d '\r\n' | rax2 -s > out.bin ## thanks to @Racco42
16.  
17. JS > EXE
18.  
19. SHA-256 8853f604d7bd146fb18eb9a94ae417809865d9da1fbf9847eb05d1702d9b8f7b
20. File name Tempa.exe
21. File size 455.5 KB
22.  
23. SHA-256 bb5520595a0bac6f55834e1e05eca80ea57ff18c03d0f4250d07b31227836e9a
24. File name Loader_2018-09-19_09-38.exe
25. File size 132.5 KB
26.  
27. SHA-256 47b3151b520a34ccd7306d216a86e60d06504186cd8d2eb986eda192e47c41ba
28. File size 1.61 MB
29. Last analysis 2018-09-19 13:01:54 UTC
30.  
31. SHA-256 7ee5206c758df0aaa019146d53f487ca9b0b1b0c79ef3b4dde557613a23f588d
32. File name CCF81064.dll
33. File size 2.53 MB
34.  
35. act
36. ------
37. wscript.exe C:\Users\operator\Desktop\45.xls.js
38. "C:\Users\support\AppData\Local\Tempa.exe"
39. C:\Windows\system32\rundll32.exe C:\Users\support\AppData\Local\Tempa.dll,f1 C:\Users\support\AppData\Local\Tempa.exe
40. C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
41. C:\Windows\system32\rundll32.exe C:\PROGRA~3\CCF81016\CCF81064.dll,f1 C:\Users\support\AppData\Local\Tempa.dll
42.  
43. C:\Windows\system32\svchost.exe -k LocalService
44. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f7
45. C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f7
46. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 759CBB3E1B883BDCA23E9052462F641E
47. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f5 E0FBBC92DB9927BFC474A64DF4F9C22F
48. C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~3\CCF81016\CCF81064.DLL,f5 D0C851FBCA030928B535FAF3188DAFBA
49. C:\tmp\Loader_2018-09-19_09-38.exe
50. C:\Windows\\syswow64\rundll32.exe C:\PROGRA~3\CCF81016\CCF81032.DLL,f4 92A1097D7E8F836DB3A4ABAC9BDCCC5D
51.  
52. open_connect
53. ------------
54.  
55. rundll32.exe 536 TCP 45.77.51.69 443 ESTABLISHED
56. svchost.exe 2412 TCP 207.88.153.20 443 SYN_SENT
57. svchost.exe 2412 TCP 74.152.137.65 443 SYN_SENT
58. [System Process] 0 49570 178.209.51.227 443 TIME_WAIT
59. svchost.exe 2412 TCP 94.56.160.71 443 SYN_SENT
60.  
61. contacted_IPs
62. -------------
63. 31.75.54.55
64. 46.167.69.86
65. 6.13.208.236
66. 17.226.127.227
67. 31.75.54.55
68. 40.172.108.17
69. 43.171.4.68
70. 45.77.51.69
71. 45.77.54.180
72. 46.167.69.86
73. 60.71.138.9
74. 161.93.121.167
75. 2.21.242.213
76. 2.21.242.237
77. 202.233.79.53
78.  
79. persist
80. --------
81. CCF81016 Ведет наблюдение за системными событиями и уведомляет подписчиков системы событий COM+ об этих событиях. c:\programdata\ccf81016\ccf81064.dll 19.09.2018 13:58
82.  
83. @Tempa
84. service name: 13E95074
85. service path: C:\Windows\system32\svchost.exe -k LocalService
86. key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\ImagePath
87. data: C:\Windows\system32\svchost.exe -k LocalService
88. key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\13E95074\Parameters\ServiceDll
89. data: C:\PROGRA~3\13E95074\13E95064.DLL
90.  
91. @Loader
92. file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surawciu.lnk
93. file: C:\Users\user\AppData\Roaming\Microsoft\Windows\surawciu\reiijwjf.exe
94.  
95. email_headers
96. ---------------
97.  
98. Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108]) by mailsrv.victim.com for <postmaster@victim.com>;
99. Wed, 19 Sep 2018 12:17:10 +0300 (EEST)
100. (envelope-from svarch@ukrpost.net)
101. Received: from mail2.ukrpost.ua (mail2.ukrpost.ua [82.207.79.2])
102. by mx.fm.ukrtelecom.ua with ESMTP id w8J7CE14010434-w8J7CE16010434; Wed, 19 Sep 2018 10:12:14 +0300
103. Received: from [109.229.10.210] (helo=210-10-229-109.pppoe.langate.ua.10.229.109.in-addr.arpa)
104. by mail2.ukrpost.ua with esmtpa (Exim 4.89)
105. (envelope-from <svarch@ukrpost.net>)
106. From: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <svarch@ukrpost.net>
107. Subject: =?utf-8?B?0L3QvtCy0YvQtSDRgNCw0YUgMTkuMDkuMTjRgA==?=
108. To: "user1" <user1@victim.com>
109. Reply-To: "=?utf-8?B?0K/QvdGH0YPQuiDQrtGA0ZbQuQ==?=" <visual-lutsk@ukr.net>
110. Date: Wed, 19 Sep 2018 10:12:12 +0300
111.  
112. # # #
113. https://www.tgsoft.it/english/news_archivio_eng.asp?id=953
114. https://myonlinesecurity.co.uk/danabot-delivered-via-fake-dpd-delivery-notification/