Overview

overview

10

Static

static

SecuriteIn...16.exe

windows7_x64

10

SecuriteIn...16.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    24-06-2020 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe

  • Size

    2.6MB

  • MD5

    fd03fccdce84ae08518761609f524f78

  • SHA1

    0a288baeca49b834de50cb1f5b02a967818b8248

  • SHA256

    57d5d3c20111dcdb68165ce1b0189bd2f4256584642266f9f1f4ed000096e976

  • SHA512

    d91b646c6bab1add593ada5be488b58f37e21bb54969ec5c38227a92a3f37b5f2ce93de923cc9bb93a79758a435c4315c17ed2f67f5534eb82cd05a36b696950

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

193.34.166.26

93.115.22.159

93.115.22.165

185.227.138.52
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@3932
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 420
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ba5bcacdd2930de8898da02eb76bd9d1

    SHA1

    2d6cdd794b651a92753113b58139957635efea7c

    SHA256

    a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

    SHA512

    b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ba5bcacdd2930de8898da02eb76bd9d1

    SHA1

    2d6cdd794b651a92753113b58139957635efea7c

    SHA256

    a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

    SHA512

    b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ba5bcacdd2930de8898da02eb76bd9d1

    SHA1

    2d6cdd794b651a92753113b58139957635efea7c

    SHA256

    a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

    SHA512

    b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ba5bcacdd2930de8898da02eb76bd9d1

    SHA1

    2d6cdd794b651a92753113b58139957635efea7c

    SHA256

    a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

    SHA512

    b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

    Download Submit
  • memory/3608-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3872-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3932-1-0x0000000005530000-0x0000000005531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3956-6-0x00000000044A0000-0x00000000044A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3956-7-0x00000000044A0000-0x00000000044A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3956-11-0x00000000049E0000-0x00000000049E1000-memory.dmp
    Filesize

    4KB

    Download