Analysis

  • max time kernel
    132s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-04-2021 11:26

General

  • Target

    vpn.bin.exe

  • Size

    1.1MB

  • MD5

    5a4f537ffd75be93484d34543127898c

  • SHA1

    3b70254cce9cfcae221637c00610c6a7543f0272

  • SHA256

    d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74

  • SHA512

    871b2c0ab547ac8e8dd38f6500fd59a190cc04f53282a2eee77641d2e5139c9788aa40cd9dc4ae8bccfc2be04fadb7ce20f3f36592b660a404d93972d90c1a87

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.185:443

192.210.198.12:443

192.236.147.83:443

23.106.123.141:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 8 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vpn.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\vpn.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\makecab.exe
      "C:\Windows\System32\makecab.exe"
      2⤵
        PID:208
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c RlFBBTBnWWwxXYwFINyxjFlP & APjAehxPNGRyRlxhFSeDuKfwKH & cmd < Aprile.msi
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3348
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^gPIKOQDiOVOQAkxOJpjaiBEhzvnzmHdsLNWlyPxotLIoNpJmItLcVfDMkcdsalIiEvtNgpITPtgcTcmlNYKxWUvvplZJnePUrBDdyWkmcRGRwoSQWuDxmhlJqIDtlZcMg$" Tese.msi
            4⤵
              PID:1176
            • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
              Trascinava.exe.com Y
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
                C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com Y
                5⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2688
                • C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe
                  "C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1928
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe
                    7⤵
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1720
                    • C:\Windows\SysWOW64\RUNDLL32.EXE
                      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL,bRdWZI2Y
                      8⤵
                      • Blocklisted process makes network request
                      • Loads dropped DLL
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2436
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\raepcpokq.vbs"
                  6⤵
                    PID:3044
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cxarttygjso.vbs"
                    6⤵
                    • Blocklisted process makes network request
                    • Modifies system certificate store
                    PID:196
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 30
                4⤵
                • Runs ping.exe
                PID:3844

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Defense Evasion

        Install Root Certificate

        1
        T1130

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL
          MD5

          aafd670c8407318a89a14453c1bfbcc1

          SHA1

          ebc4ffd7e7c17c25d17047581e9f728bb18e527c

          SHA256

          8c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1

          SHA512

          7885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa

        • C:\Users\Admin\AppData\Local\Temp\cxarttygjso.vbs
          MD5

          7ad6c6a64022cfef4136f25615702927

          SHA1

          1f32aafa5115143bc21f15539426538f7918679a

          SHA256

          e7a869f7bd412fa2eae066c5007664ffbb28b2069f3e8ab123aaf90a135ec574

          SHA512

          c9d6c09f6a4dbdcfe62ac571428a698aecfbf9972b541c38143719ca1cc44c55a6de19e82a4750d03d0e43e4ac5e3cb92b6d62cf8eb05545969066e2e5826fc0

        • C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe
          MD5

          f884aebec5fa77261ff0ebeb9cf7cb70

          SHA1

          dbe55e9b4f5243d28841627b942dc642ddcb9dba

          SHA256

          90c99980edda505c3ce727884dfab5fbf1f6955442737254d92cb9f439e6039a

          SHA512

          f196a97dd6515be4308d84e8d61c45169af72db60b290dbe798b40791a99a15b6f404f542a22a60c86d6db050502e17cdc3c93994e67c0924580c41e877a2a0e

        • C:\Users\Admin\AppData\Local\Temp\nvuohktp.exe
          MD5

          f884aebec5fa77261ff0ebeb9cf7cb70

          SHA1

          dbe55e9b4f5243d28841627b942dc642ddcb9dba

          SHA256

          90c99980edda505c3ce727884dfab5fbf1f6955442737254d92cb9f439e6039a

          SHA512

          f196a97dd6515be4308d84e8d61c45169af72db60b290dbe798b40791a99a15b6f404f542a22a60c86d6db050502e17cdc3c93994e67c0924580c41e877a2a0e

        • C:\Users\Admin\AppData\Local\Temp\raepcpokq.vbs
          MD5

          a3c373d31957da79f9bef3694963cb7f

          SHA1

          e8c2bc257ac4d88ba6da63014845b89ac93501f5

          SHA256

          41bab97eaf58ee39f5cee4acfd92c05b90c825ae7d6921c5aa0ab66c2264dfe8

          SHA512

          49b292dc5a054dbfcafcc3b66ef37f42472fa5a74155e38e0fd65e0ef6b4848650ff507348dbe8194c3bdbda559b883f97dabf9f0cb4dcc3782c00bee2534a6e

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Aprile.msi
          MD5

          8467341efcb627b3b7c7997b9d18a2b3

          SHA1

          7902e7833c474f2fe4bd88669fcb103c8191617e

          SHA256

          7f8560f97d2f23f4006ca8bef5d9682f1e621636f821cc03ba2187835443dab4

          SHA512

          fb59e9b9c0a463977f1100076f37193dcfa29e2dac2487a19914409c78134b741ecdf59cf3797ccffb5628be008068e0e09d57326487dcc9f3c7864e859cf418

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Distrugge.msi
          MD5

          ca9ab8aa57ce91b56ea5f97fc2ff6deb

          SHA1

          0aed949c17de918b8fcdc28112279bd949660369

          SHA256

          1c62c5b0f8c9f1f6ebbe1df515175b6a5620c6c623d3c51b05042a1646bb4d02

          SHA512

          4f4f6037802a2dca4cee15c8564a2f0755aeb94903eb4467407c1a735d980333a4eb7b1b1ef4cf0923aefdb5a42fc6d4287139a7357ea9daa83783f8e1cb5c53

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Invece.msi
          MD5

          47ebadd7365c2186dacce71f058e30f0

          SHA1

          3ed2838977d943570245762f220ab6e790cc1a05

          SHA256

          9ef508c77abe54699966ce4bb3328e7fc76f3b8ad3b22e53ff5e449f238b7b2f

          SHA512

          2cebcac856c1b07f852edeed14b004db34204ca072c21daae5b0ebe726107243f5bf37062b4694a50a558add81ec9b546c3bc1c0f5fa6bb7cd73afebd82a3c41

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Tese.msi
          MD5

          c5de73401a4ad08730d7448f9db41add

          SHA1

          81bc3db1099aba71c987f8fd889d706a23618ca7

          SHA256

          aefe8c340ebcceae51f9017ccf56a74a6f5efc5012523d68a76b2d397dbc238a

          SHA512

          3004583935d5c1aa2e118abbe197bcac4c2f2f005741b9aef751d8de0b35acbc71ecd7993de44b32c4df45458c74e54c387fe88b842086583383f8625dc7cdb2

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
          MD5

          78ba0653a340bac5ff152b21a83626cc

          SHA1

          b12da9cb5d024555405040e65ad89d16ae749502

          SHA256

          05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

          SHA512

          efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
          MD5

          78ba0653a340bac5ff152b21a83626cc

          SHA1

          b12da9cb5d024555405040e65ad89d16ae749502

          SHA256

          05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

          SHA512

          efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Trascinava.exe.com
          MD5

          78ba0653a340bac5ff152b21a83626cc

          SHA1

          b12da9cb5d024555405040e65ad89d16ae749502

          SHA256

          05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

          SHA512

          efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        • C:\Users\Admin\AppData\Roaming\ieBjZPIwrfYTIGFlspmRCLiHMokMPmlPcKhNkxSfoosYGYzWBAYSlPqvVTmQDWkDtonXzSYWslJxzoqNPfkfBaFF\Y
          MD5

          ca9ab8aa57ce91b56ea5f97fc2ff6deb

          SHA1

          0aed949c17de918b8fcdc28112279bd949660369

          SHA256

          1c62c5b0f8c9f1f6ebbe1df515175b6a5620c6c623d3c51b05042a1646bb4d02

          SHA512

          4f4f6037802a2dca4cee15c8564a2f0755aeb94903eb4467407c1a735d980333a4eb7b1b1ef4cf0923aefdb5a42fc6d4287139a7357ea9daa83783f8e1cb5c53

        • \Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL
          MD5

          aafd670c8407318a89a14453c1bfbcc1

          SHA1

          ebc4ffd7e7c17c25d17047581e9f728bb18e527c

          SHA256

          8c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1

          SHA512

          7885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa

        • \Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL
          MD5

          aafd670c8407318a89a14453c1bfbcc1

          SHA1

          ebc4ffd7e7c17c25d17047581e9f728bb18e527c

          SHA256

          8c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1

          SHA512

          7885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa

        • \Users\Admin\AppData\Local\Temp\NVUOHK~1.DLL
          MD5

          aafd670c8407318a89a14453c1bfbcc1

          SHA1

          ebc4ffd7e7c17c25d17047581e9f728bb18e527c

          SHA256

          8c9ea69aa624cce70ba8cc22d42d306eed5decadaac3799fad19001f2b6eafd1

          SHA512

          7885593205fc96dd99c3691a960b562199f916c840d1ee70a826827dcdf1e2fd7c6340b8ff01a983d39994340ddc2d87d50be2c2f7e3e86f577aacb13a40e6fa

        • memory/196-151-0x0000000000000000-mapping.dmp
        • memory/208-114-0x0000000000000000-mapping.dmp
        • memory/1176-118-0x0000000000000000-mapping.dmp
        • memory/1720-146-0x0000000005181000-0x00000000057DF000-memory.dmp
          Filesize

          6.4MB

        • memory/1720-135-0x0000000000000000-mapping.dmp
        • memory/1720-148-0x0000000003190000-0x0000000003191000-memory.dmp
          Filesize

          4KB

        • memory/1928-130-0x0000000000000000-mapping.dmp
        • memory/1928-138-0x0000000001740000-0x0000000001E34000-memory.dmp
          Filesize

          7.0MB

        • memory/1928-139-0x0000000000400000-0x0000000000B00000-memory.dmp
          Filesize

          7.0MB

        • memory/1928-140-0x0000000001050000-0x0000000001051000-memory.dmp
          Filesize

          4KB

        • memory/2124-121-0x0000000000000000-mapping.dmp
        • memory/2436-143-0x0000000000000000-mapping.dmp
        • memory/2436-147-0x00000000041A0000-0x000000000475A000-memory.dmp
          Filesize

          5.7MB

        • memory/2436-149-0x00000000048A0000-0x00000000048A1000-memory.dmp
          Filesize

          4KB

        • memory/2436-150-0x0000000004DB1000-0x000000000540F000-memory.dmp
          Filesize

          6.4MB

        • memory/2688-128-0x0000000000A40000-0x0000000000A41000-memory.dmp
          Filesize

          4KB

        • memory/2688-125-0x0000000000000000-mapping.dmp
        • memory/3044-133-0x0000000000000000-mapping.dmp
        • memory/3348-117-0x0000000000000000-mapping.dmp
        • memory/3544-115-0x0000000000000000-mapping.dmp
        • memory/3844-123-0x0000000000000000-mapping.dmp