Overview

overview

10

Static

static

8

35f86945ca...16.exe

windows7_x64

10

35f86945ca...16.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-01-2021 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35f86945ca3277c1531ebd23a10d7c16.exe

  • Size

    631KB

  • MD5

    35f86945ca3277c1531ebd23a10d7c16

  • SHA1

    3e732eeb0e437732b8886be81ed817b2e8091778

  • SHA256

    4d00c84ecb0f03b44c878e617a5343ca2c8d06bfb588b1501d6f2f0c0c8e79fe

  • SHA512

    c319393cbd8eed3efc6eaf6ed802a0e3cda4a68870bfe3f8fe698fed64ebda6f204cac2498f4415fdd6386c04444e3f1d716689284159de34a8f44cce10cb562

Score
10/10
cryptbotdanabot3bankerdiscoveryevasionspywarestealertrojanupx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

104.144.64.163:443
Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe
    "C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\File332.exe
      "C:\Users\Admin\AppData\Local\Temp\File332.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Drops startup file
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          PID:3876
      • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aqsploqydye & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4076
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:996
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aqsploqydye & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1064
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:4120
      • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe
          "C:\Users\Admin\AppData\Local\Temp\isenubblreql.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\ISENUB~1.EXE
            5⤵
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Windows\SysWOW64\RUNDLL32.EXE
              C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ISENUB~1.DLL,dVceLDZnBaz9
              6⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:4176
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE6FA.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4456
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4752
                • C:\Windows\SysWOW64\nslookup.exe
                  "C:\Windows\system32\nslookup.exe" -type=any localhost
                  8⤵
                    PID:4924
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                  7⤵
                    PID:4960
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                    7⤵
                      PID:5008
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yppumwlckp.vbs"
                4⤵
                  PID:1096
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ktqwrrog.vbs"
                  4⤵
                  • Blocklisted process makes network request
                  • Modifies system certificate store
                  PID:4352
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mMesjwWnlc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\35f86945ca3277c1531ebd23a10d7c16.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                3⤵
                • Delays execution with timeout.exe
                PID:1056

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/936-26-0x0000000004900000-0x0000000004901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/936-29-0x0000000005100000-0x0000000005101000-memory.dmp

            Filesize

            4KB

            Download

          • memory/936-31-0x0000000004900000-0x0000000004901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/936-30-0x0000000004900000-0x0000000004901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1124-2-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2052-24-0x0000000005400000-0x0000000005401000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2052-27-0x0000000005C00000-0x0000000005C01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3876-35-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3876-36-0x00000000052B0000-0x00000000052B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3884-48-0x0000000006D60000-0x0000000006D61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3940-28-0x0000000004D10000-0x0000000004D11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3940-25-0x0000000004510000-0x0000000004511000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4140-54-0x0000000004E30000-0x000000000548F000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/4176-58-0x0000000005220000-0x000000000587F000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/4456-63-0x00000000069E0000-0x00000000069E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-66-0x00000000079B0000-0x00000000079B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-70-0x0000000008300000-0x0000000008301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-71-0x0000000008200000-0x0000000008201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-68-0x0000000007B70000-0x0000000007B71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-73-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-74-0x0000000009950000-0x0000000009951000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-75-0x0000000008EE0000-0x0000000008EE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-76-0x00000000082E0000-0x00000000082E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-67-0x0000000007B00000-0x0000000007B01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-69-0x0000000007940000-0x0000000007941000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-62-0x00000000711D0000-0x00000000718BE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4456-64-0x0000000007050000-0x0000000007051000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4456-65-0x0000000007730000-0x0000000007731000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4752-89-0x00000000084F0000-0x00000000084F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4752-86-0x0000000007F80000-0x0000000007F81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4752-80-0x0000000070D90000-0x000000007147E000-memory.dmp

            Filesize

            6.9MB

            Download