Overview

overview

10

Static

static

SecuriteIn...99.exe

windows7_x64

10

SecuriteIn...99.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe

  • Size

    6.0MB

  • MD5

    7b1ad0c4bb7e5bc33b2da7ebffe86e6f

  • SHA1

    276b2ae7a851a06e7e026022bdee6d4113495551

  • SHA256

    345a564dd605f8d904c4f1ff4d3bf5686a9d88b9fe4b586aba4b23f45cffe297

  • SHA512

    ec7aa5d9f50bbe33421f59de774b00bc9cd8899be34a1c8fc7ee09935e255ff4c50904bd019d67a57734e5852eafc19e2815e9a6be53ce97f796bc65fd7276cd

Score
10/10
danabot3bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.185:443

192.210.198.12:443

192.236.147.83:443

37.220.31.94:443
Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:504
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,TBg0LDaBBQ==
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ce2816dd27b6f679acfbfbad58c5ac6e

    SHA1

    2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

    SHA256

    90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

    SHA512

    1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ce2816dd27b6f679acfbfbad58c5ac6e

    SHA1

    2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

    SHA256

    90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

    SHA512

    1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ce2816dd27b6f679acfbfbad58c5ac6e

    SHA1

    2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

    SHA256

    90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

    SHA512

    1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    ce2816dd27b6f679acfbfbad58c5ac6e

    SHA1

    2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

    SHA256

    90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

    SHA512

    1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

    Download Submit
  • memory/504-126-0x0000000004FD1000-0x000000000562F000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/504-117-0x0000000000000000-mapping.dmp
    Download
  • memory/504-127-0x0000000000F40000-0x000000000108A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1196-122-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-125-0x00000000044B0000-0x0000000004A6A000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1196-128-0x0000000004C80000-0x0000000004C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1196-129-0x0000000005081000-0x00000000056DF000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/2992-116-0x0000000000F50000-0x0000000000F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2992-114-0x00000000030E0000-0x00000000037D5000-memory.dmp
    Filesize

    7.0MB

    Download
  • memory/2992-115-0x0000000000400000-0x0000000000DF2000-memory.dmp
    Filesize

    9.9MB

    Download