Analysis

  • max time kernel
    62s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14-09-2020 00:55

General

  • Target

    file.bin.exe

  • Size

    3.9MB

  • MD5

    370f78f7032ad6a8a34ac1e662f7532c

  • SHA1

    5bc4edf95bcbb5385ba7aeef170095de9e855d2e

  • SHA256

    d489e786f3f7451df3db5bd5dd3de6519a48a1271986d894b29412809e952cf4

  • SHA512

    c60ae2bd556e9e46c5138fc6ec932d44dac4bf2a1de13143b36873d86a502dfca0a225b493c206359950a2c69880f0e5d5a4aada5cdc3ccab723d390a6162843

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 5 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 14 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\file.bin.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Windows\SysWOW64\CScript.exe
      "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ladfer\kigfs\file.vbs" //e:vbscript //B //NOLOGO
      2⤵
      • Blocklisted process makes network request
      PID:368
    • C:\Program Files (x86)\Ladfer\kigfs\1_1.exe
      "C:\Program Files (x86)\Ladfer\kigfs\1_1.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KBOX6TG & timeout 2 & del /f /q "C:\Program Files (x86)\Ladfer\kigfs\1_1.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • Delays execution with timeout.exe
          PID:1784
    • C:\Program Files (x86)\Ladfer\kigfs\file.exe
      "C:\Program Files (x86)\Ladfer\kigfs\file.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jollifdgxjc.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Users\Admin\AppData\Local\Temp\jollifdgxjc.exe
          "C:\Users\Admin\AppData\Local\Temp\jollifdgxjc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\JOLLIF~1.EXE@2004
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL,f0
              6⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              PID:3316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe
          "C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3708
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ugfufwq & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:1640
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ugfufwq & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:3516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\kugsmiawyw.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Local\Temp\kugsmiawyw.exe
          "C:\Users\Admin\AppData\Local\Temp\kugsmiawyw.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Drops startup file
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
            "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Ladfer\kigfs\1_1.exe
    MD5

    9fc7991c040724b3a035caf41b378bb9

    SHA1

    36b2938fb4f7248cd0a32b08442f8124992888e2

    SHA256

    84bbee23172ffbe2e22b767fcee1f3ca12de05320d09f09ef19e9e4b1004d11c

    SHA512

    756162da4a0a8a618cbbbf95d47a7c8988a6375ce858dc06770c78de417a29fb06778a4259af07e123e575b89428bed3a2e082b4284a0022f5125ad418c9aae7

  • C:\Program Files (x86)\Ladfer\kigfs\1_1.exe
  • C:\Program Files (x86)\Ladfer\kigfs\file.exe
  • C:\Program Files (x86)\Ladfer\kigfs\file.exe
  • C:\Program Files (x86)\Ladfer\kigfs\file.vbs
    MD5

    270a3db0d6ca46a7b78f004f78b6ff04

    SHA1

    094d82c47b3b7710373ff32c29f60b4cb81f68c8

    SHA256

    0b9613013bbbe305bb638b9fbfd6ccbbdb2a99980301c82ee9884ce1f95cf763

    SHA512

    d78b772b5bbeb96ea59c34886901c9523bd6009335bbd8695c92ce9ba09513b2286090e99da0d4c9b773e1def72d8fcdf57dbe641dfad2bad7e09bd59d6113dd

  • C:\ProgramData\ugfufwq\46173476.txt
  • C:\ProgramData\ugfufwq\8372422.txt
  • C:\ProgramData\ugfufwq\Files\_INFOR~1.TXT
  • C:\ProgramData\ugfufwq\NL_202~1.ZIP
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\809F549ACD5D5E0FC927377BAAE913CC
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\809F549ACD5D5E0FC927377BAAE913CC
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
  • C:\Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL
    MD5

    f44d1c7820bb02b486871ba9eab2f226

    SHA1

    d040d7b886002f37924536425b43091f21a3844b

    SHA256

    24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

    SHA512

    b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\DinYG.tmp
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\EHN6IC~1.ZIP
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\UeZk.tmp
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\_Files\_INFOR~1.TXT
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\_Files\_SCREE~1.JPE
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\cRXmp.tmp
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\files_\SCREEN~1.JPG
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\files_\SYSTEM~1.TXT
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\mMDN.tmp
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\n4fbXzYJ.zip
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\phoY.tmp
  • C:\Users\Admin\AppData\Local\Temp\KBOX6TG\ukeF.tmp
  • C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe
  • C:\Users\Admin\AppData\Local\Temp\eiqugnkjmut.exe
  • C:\Users\Admin\AppData\Local\Temp\jollifdgxjc.exe
  • C:\Users\Admin\AppData\Local\Temp\jollifdgxjc.exe
  • C:\Users\Admin\AppData\Local\Temp\kugsmiawyw.exe
  • C:\Users\Admin\AppData\Local\Temp\kugsmiawyw.exe
  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  • \Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL
    MD5

    f44d1c7820bb02b486871ba9eab2f226

    SHA1

    d040d7b886002f37924536425b43091f21a3844b

    SHA256

    24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

    SHA512

    b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

  • \Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL
    MD5

    f44d1c7820bb02b486871ba9eab2f226

    SHA1

    d040d7b886002f37924536425b43091f21a3844b

    SHA256

    24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

    SHA512

    b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

  • \Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL
    MD5

    f44d1c7820bb02b486871ba9eab2f226

    SHA1

    d040d7b886002f37924536425b43091f21a3844b

    SHA256

    24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

    SHA512

    b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

  • \Users\Admin\AppData\Local\Temp\JOLLIF~1.DLL
    MD5

    f44d1c7820bb02b486871ba9eab2f226

    SHA1

    d040d7b886002f37924536425b43091f21a3844b

    SHA256

    24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

    SHA512

    b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

  • \Users\Admin\AppData\Local\Temp\nsq166D.tmp\UAC.dll
    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • \Users\Admin\AppData\Local\Temp\nsq166D.tmp\nsExec.dll
    MD5

    132e6153717a7f9710dcea4536f364cd

    SHA1

    e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

    SHA256

    d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

    SHA512

    9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

  • memory/368-2-0x0000000000000000-mapping.dmp
  • memory/524-36-0x0000000000000000-mapping.dmp
  • memory/1628-55-0x0000000000000000-mapping.dmp
  • memory/1640-76-0x0000000000000000-mapping.dmp
  • memory/1784-31-0x0000000000000000-mapping.dmp
  • memory/1848-4-0x0000000000000000-mapping.dmp
  • memory/1848-12-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

  • memory/1848-13-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

  • memory/1848-14-0x0000000005870000-0x0000000005871000-memory.dmp
    Filesize

    4KB

  • memory/2004-42-0x0000000002880000-0x0000000002881000-memory.dmp
    Filesize

    4KB

  • memory/2004-37-0x0000000000000000-mapping.dmp
  • memory/2004-38-0x0000000000000000-mapping.dmp
  • memory/2016-7-0x0000000000000000-mapping.dmp
  • memory/2016-10-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
    Filesize

    4KB

  • memory/2016-11-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

  • memory/2336-68-0x0000000004840000-0x0000000004841000-memory.dmp
    Filesize

    4KB

  • memory/2336-69-0x0000000005040000-0x0000000005041000-memory.dmp
    Filesize

    4KB

  • memory/2336-65-0x0000000000000000-mapping.dmp
  • memory/2476-18-0x0000000000000000-mapping.dmp
  • memory/3016-71-0x0000000000000000-mapping.dmp
  • memory/3316-47-0x0000000000000000-mapping.dmp
  • memory/3500-50-0x0000000000000000-mapping.dmp
  • memory/3516-78-0x0000000000000000-mapping.dmp
  • memory/3524-77-0x0000000000000000-mapping.dmp
  • memory/3708-57-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
    Filesize

    4KB

  • memory/3708-52-0x0000000000000000-mapping.dmp
  • memory/3708-51-0x0000000000000000-mapping.dmp
  • memory/3708-56-0x00000000053A0000-0x00000000053A1000-memory.dmp
    Filesize

    4KB

  • memory/3840-64-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

  • memory/3840-63-0x0000000005330000-0x0000000005331000-memory.dmp
    Filesize

    4KB

  • memory/3840-62-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

  • memory/3840-58-0x0000000000000000-mapping.dmp
  • memory/3840-59-0x0000000000000000-mapping.dmp
  • memory/3896-43-0x0000000000000000-mapping.dmp