Overview

overview

10

Static

static

SecuriteIn...81.exe

windows7_x64

10

SecuriteIn...81.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-04-2021 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe

  • Size

    5.9MB

  • MD5

    9077ee02ee92c4a1f4e874f1f086e220

  • SHA1

    651fd5e02b12155f79313db85e3669a82a528edb

  • SHA256

    488d2bdd81feedeb4b82a8e1acf319c4ad8b6d3170dd877d768430c19513d52c

  • SHA512

    c4aabefd8939e004d1c0616b49e5ef7c192e234bce928a86705549c387f5d371b8048c7d7cf6fe8c985e7cc1e963616875bdda3bffec8a6fcd7cb4c3fb5af388

Score
10/10
danabot3bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

23.254.225.170:443

23.106.123.185:443

37.220.31.94:443
Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,fFgk
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:3032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 564
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    7f83141b7f64313e569bcf085dd2ce74

    SHA1

    3368eb31aa88fd59730bdc73b4f38ba28c37ad5a

    SHA256

    613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b

    SHA512

    8bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    7f83141b7f64313e569bcf085dd2ce74

    SHA1

    3368eb31aa88fd59730bdc73b4f38ba28c37ad5a

    SHA256

    613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b

    SHA512

    8bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    7f83141b7f64313e569bcf085dd2ce74

    SHA1

    3368eb31aa88fd59730bdc73b4f38ba28c37ad5a

    SHA256

    613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b

    SHA512

    8bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba

    Download Submit
  • memory/2532-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2532-121-0x00000000052A1000-0x00000000058FF000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/2532-135-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3032-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3032-136-0x0000000005221000-0x000000000587F000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/3176-114-0x0000000005460000-0x0000000005B55000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/3176-116-0x00000000031D0000-0x00000000031D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-115-0x0000000000400000-0x0000000003159000-memory.dmp
    Filesize

    45.3MB

    Download