Overview

overview

10

Static

static

f855a98d43...29.exe

windows7_x64

10

f855a98d43...29.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-12-2020 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f855a98d4367685b38e0c961627ef029.exe

  • Size

    671KB

  • MD5

    f855a98d4367685b38e0c961627ef029

  • SHA1

    f111814ebf9950785a8e932627abfae9c3ec24ef

  • SHA256

    37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2

  • SHA512

    c3e295ac5f46c8400ebe9846eaddea93b06f4023cc36751654ae9ff73f4dc0e33510fbe4ef2ebf9ff24328ac316158b77560620ad6db8d4dc8791756b1e7386c

Score
10/10
danabot3bankerdiscoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

104.227.34.227:443

64.188.20.187:443

51.195.73.129:443

176.123.2.249:443
Attributes
  • embedded_hash

    6266E79288DFE2AE2C2DB47563C7F93A

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 7 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe
    "C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\File2.exe
      "C:\Users\Admin\AppData\Local\Temp\File2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Program Files (x86)\solfer\boleroh\lvlar.exe
        "C:\Program Files (x86)\solfer\boleroh\lvlar.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe
            "C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1332
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.EXE
              6⤵
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Windows\SysWOW64\RUNDLL32.EXE
                C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL,LycILDZIBeQ=
                7⤵
                • Blocklisted process makes network request
                • Loads dropped DLL
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:1204
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2BA5.tmp.ps1"
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3804
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3F3E.tmp.ps1"
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3144
                  • C:\Windows\SysWOW64\nslookup.exe
                    "C:\Windows\system32\nslookup.exe" -type=any localhost
                    9⤵
                      PID:1904
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                    8⤵
                      PID:2712
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                      8⤵
                        PID:2188
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs"
                4⤵
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1728
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs"
                  5⤵
                  • Blocklisted process makes network request
                  • Modifies system certificate store
                  PID:1492
            • C:\Program Files (x86)\solfer\4pla.exe
              "C:\Program Files (x86)\solfer\4pla.exe"
              3⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Drops startup file
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                4⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: EnumeratesProcesses
                PID:1096
            • C:\Program Files (x86)\solfer\startver.exe
              "C:\Program Files (x86)\solfer\startver.exe"
              3⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1608
              • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
                C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
                4⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:200
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3920
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
                  5⤵
                  • Creates scheduled task(s)
                  PID:2144
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f855a98d4367685b38e0c961627ef029.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3708
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              3⤵
              • Delays execution with timeout.exe
              PID:3820

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Virtualization/Sandbox Evasion

        2
        T1497

        Install Root Certificate

        1
        T1130

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        5
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\solfer\4pla.exe
          Download Submit
        • C:\Program Files (x86)\solfer\4pla.exe
          Download Submit
        • C:\Program Files (x86)\solfer\boleroh\lvlar.exe
          Download Submit
        • C:\Program Files (x86)\solfer\boleroh\lvlar.exe
          Download Submit
        • C:\Program Files (x86)\solfer\startver.exe
          Download Submit
        • C:\Program Files (x86)\solfer\startver.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\32.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\EPSVCW~1.ZIP
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\PYY0S8~1.ZIP
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\_Files\_INFOR~1.TXT
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\_Files\_SCREE~1.JPE
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\files_\SCREEN~1.JPG
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4434bkXZnF0Y\files_\SYSTEM~1.TXT
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\64.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\File2.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\File2.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\hpjrsgjgcc.vbs
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\pvtxmasaa.exe
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp2BA5.tmp.ps1
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp2BA6.tmp
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp3F3E.tmp.ps1
          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp3F3F.tmp
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          Download Submit
        • \Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
          Download Submit
        • \Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
          Download Submit
        • \Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
          Download Submit
        • \Users\Admin\AppData\Local\Temp\PVTXMA~1.DLL
          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsk790F.tmp\UAC.dll
          Download Submit
        • memory/200-41-0x0000000000000000-mapping.dmp
          Download
        • memory/1092-7-0x0000000000000000-mapping.dmp
          Download
        • memory/1096-39-0x0000000005430000-0x0000000005431000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1096-38-0x0000000004C30000-0x0000000004C31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1096-35-0x0000000000000000-mapping.dmp
          Download
        • memory/1096-40-0x0000000004C30000-0x0000000004C31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-64-0x0000000004D70000-0x00000000053D0000-memory.dmp
          Filesize

          6.4MB

          Download
        • memory/1204-102-0x0000000006670000-0x0000000006671000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1332-51-0x0000000000000000-mapping.dmp
          Download
        • memory/1332-54-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1332-50-0x0000000000000000-mapping.dmp
          Download
        • memory/1492-66-0x0000000000000000-mapping.dmp
          Download
        • memory/1608-33-0x000000000BA50000-0x000000000BA51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1608-32-0x000000000B250000-0x000000000B251000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1608-25-0x0000000000000000-mapping.dmp
          Download
        • memory/1728-61-0x0000000000000000-mapping.dmp
          Download
        • memory/1904-100-0x0000000000000000-mapping.dmp
          Download
        • memory/2124-59-0x0000000004C40000-0x00000000052A0000-memory.dmp
          Filesize

          6.4MB

          Download
        • memory/2124-55-0x0000000000000000-mapping.dmp
          Download
        • memory/2144-46-0x0000000000000000-mapping.dmp
          Download
        • memory/2188-105-0x0000000000000000-mapping.dmp
          Download
        • memory/2216-49-0x0000000000000000-mapping.dmp
          Download
        • memory/2712-104-0x0000000000000000-mapping.dmp
          Download
        • memory/3052-21-0x0000000000000000-mapping.dmp
          Download
        • memory/3052-30-0x0000000004900000-0x0000000004901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3052-31-0x0000000005100000-0x0000000005101000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3144-95-0x0000000008250000-0x0000000008251000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3144-92-0x0000000007DA0000-0x0000000007DA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3144-86-0x00000000709C0000-0x00000000710AE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3144-84-0x0000000000000000-mapping.dmp
          Download
        • memory/3708-10-0x0000000000000000-mapping.dmp
          Download
        • memory/3804-73-0x00000000075B0000-0x00000000075B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-71-0x0000000007510000-0x0000000007511000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-77-0x0000000007F90000-0x0000000007F91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-75-0x0000000007B70000-0x0000000007B71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-79-0x0000000008100000-0x0000000008101000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-80-0x0000000009750000-0x0000000009751000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-81-0x0000000008CE0000-0x0000000008CE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-82-0x0000000006AF0000-0x0000000006AF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-74-0x0000000007800000-0x0000000007801000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-67-0x0000000000000000-mapping.dmp
          Download
        • memory/3804-72-0x0000000007690000-0x0000000007691000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-76-0x00000000080A0000-0x00000000080A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-70-0x0000000006E70000-0x0000000006E71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-69-0x0000000004480000-0x0000000004481000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-68-0x0000000070FA0000-0x000000007168E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3820-18-0x0000000000000000-mapping.dmp
          Download
        • memory/3824-29-0x0000000005A20000-0x0000000005A21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3824-28-0x0000000005220000-0x0000000005221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3824-19-0x0000000000000000-mapping.dmp
          Download
        • memory/3920-45-0x0000000000000000-mapping.dmp
          Download
        • memory/3992-2-0x00000000029B0000-0x00000000029B1000-memory.dmp
          Filesize

          4KB

          Download