danabot | 83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243

Analysis

max time kernel
123s
max time network
139s
platform
windows7_x64
resource
win7v20210408
submitted
03-05-2021 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vpn.exe
Size

1.0MB
MD5

ae672455612bde0a10259c441ffc97b3
SHA1

378527fc598c402982fc0816282fef5e97318a76
SHA256

83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
SHA512

f366df4117ff648b3d205dd0c5713054a6733bc86e70018065514d0075c87c50b188a95a159dd6ccda72bce22f3baf5797e3cfc470ac150bf47e6c74851fbe81

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

23.106.123.185:443

192.210.198.12:443

192.236.147.83:443

37.220.31.94:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 9 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow	pid	process
17	1512	RUNDLL32.EXE
20	1924	WScript.exe
22	1924	WScript.exe
24	1924	WScript.exe
26	1924	WScript.exe
28	1924	WScript.exe
31	1512	RUNDLL32.EXE
32	1512	RUNDLL32.EXE
33	1512	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Ama.exe.comAma.exe.combrlqfnhv.exe

pid process

992 Ama.exe.com
316 Ama.exe.com
1960 brlqfnhv.exe

pid	process
992	Ama.exe.com
316	Ama.exe.com
1960	brlqfnhv.exe

Loads dropped DLL 11 IoCs

Processes:

cmd.exeAma.exe.comrundll32.exeRUNDLL32.EXE

pid	process
1464	cmd.exe
316	Ama.exe.com
316	Ama.exe.com
1288	rundll32.exe
1288	rundll32.exe
1288	rundll32.exe
1288	rundll32.exe
1512	RUNDLL32.EXE
1512	RUNDLL32.EXE
1512	RUNDLL32.EXE
1512	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

RUNDLL32.EXE

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini RUNDLL32.EXE
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	RUNDLL32.EXE

flow	ioc
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ama.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ama.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ama.exe.com

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ama.exe.comWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Ama.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Ama.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

288 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1288 rundll32.exe
Token: SeDebugPrivilege 1512 RUNDLL32.EXE

pid	process
288	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1288	rundll32.exe
Token: SeDebugPrivilege	1512	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

vpn.execmd.execmd.exeAma.exe.comAma.exe.combrlqfnhv.exerundll32.exe

description	pid	process	target process
PID 1848 wrote to memory of 784	1848	vpn.exe	svchost.exe
PID 1848 wrote to memory of 784	1848	vpn.exe	svchost.exe
PID 1848 wrote to memory of 784	1848	vpn.exe	svchost.exe
PID 1848 wrote to memory of 784	1848	vpn.exe	svchost.exe
PID 1848 wrote to memory of 1148	1848	vpn.exe	cmd.exe
PID 1848 wrote to memory of 1148	1848	vpn.exe	cmd.exe
PID 1848 wrote to memory of 1148	1848	vpn.exe	cmd.exe
PID 1848 wrote to memory of 1148	1848	vpn.exe	cmd.exe
PID 1148 wrote to memory of 1464	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 1464	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 1464	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 1464	1148	cmd.exe	cmd.exe
PID 1464 wrote to memory of 1596	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 1596	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 1596	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 1596	1464	cmd.exe	findstr.exe
PID 1464 wrote to memory of 992	1464	cmd.exe	Ama.exe.com
PID 1464 wrote to memory of 992	1464	cmd.exe	Ama.exe.com
PID 1464 wrote to memory of 992	1464	cmd.exe	Ama.exe.com
PID 1464 wrote to memory of 992	1464	cmd.exe	Ama.exe.com
PID 1464 wrote to memory of 288	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 288	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 288	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 288	1464	cmd.exe	PING.EXE
PID 992 wrote to memory of 316	992	Ama.exe.com	Ama.exe.com
PID 992 wrote to memory of 316	992	Ama.exe.com	Ama.exe.com
PID 992 wrote to memory of 316	992	Ama.exe.com	Ama.exe.com
PID 992 wrote to memory of 316	992	Ama.exe.com	Ama.exe.com
PID 316 wrote to memory of 1960	316	Ama.exe.com	brlqfnhv.exe
PID 316 wrote to memory of 1960	316	Ama.exe.com	brlqfnhv.exe
PID 316 wrote to memory of 1960	316	Ama.exe.com	brlqfnhv.exe
PID 316 wrote to memory of 1960	316	Ama.exe.com	brlqfnhv.exe
PID 316 wrote to memory of 680	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 680	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 680	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 680	316	Ama.exe.com	WScript.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1960 wrote to memory of 1288	1960	brlqfnhv.exe	rundll32.exe
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 1288 wrote to memory of 1512	1288	rundll32.exe	RUNDLL32.EXE
PID 316 wrote to memory of 1924	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 1924	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 1924	316	Ama.exe.com	WScript.exe
PID 316 wrote to memory of 1924	316	Ama.exe.com	WScript.exe

C:\Users\Admin\AppData\Local\Temp\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\vpn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Avvenne.pst
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^OrbGtAtgShJATMzcwdgeFqmrVYufAJzwsUiIUTHcvjNANrHaHsmcZKvOExKyxOOpTIoYFKAiISGzjZdSsN$" Crudelta.pst
      4⤵
      PID:1596
  - - C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
      Ama.exe.com p
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
        
        C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com p
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\brlqfnhv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\brlqfnhv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\brlqfnhv.exe
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL,Z2AH
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\osoffybt.vbs"
        6⤵
        
        PID:680
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fpqduxkd.vbs"
        6⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:1924
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
e0e3aba8a2e7f86c2f523b5dc019905a

SHA1
97f0e48a80496d0d17ea3905d3c41e1dd6359a22

SHA256
3bd3dba56666d45912a35e3a0eaa71c201b8d422b7ea5e33a8dcb12da0ab5ea4

SHA512
b5aa9947d9b31565c23a7e0cb30e8a224808c38faee6758538e8972fc08cded09ff1e459690fbd09da9bd6de7b304c3c6b80afd07f9c9e51b33f9fae17d4241c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\json[1].json

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

MD5
c52fd6194cbd8e1bec1b30f1aafeacc9

SHA1
4cb86f98a71e15be4fc18d234cb79600cf1eee10

SHA256
b06d4f67bd91c03b0cbc29996324ec9dd883c4a1f79b3ecb801bd14c53253925

SHA512
5aa61f9142c877b2c5caa927b98667c3a1b54b3c20026f47ba6c0d0c3d9368055a5df9de177b2d021297b8301feb7c3f340632eae1ce6b61fd427061625af603

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F03.tmp

MD5
0c17abb0ed055fecf0c48bb6e46eb4eb

SHA1
a692730c8ec7353c31b94a888f359edb54aaa4c8

SHA256
f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0

SHA512
645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\brlqfnhv.exe

MD5
31b136df3d075b5b6a35e1acc1c25c91

SHA1
4d0ea72897b2ff2152f74801a5188bfe5df0e786

SHA256
6418a8143a1f38f1e0050f923d67ff234c7214d59f58a8da3cfb74da892c7419

SHA512
4a71d2212b57bf5c9a853ca1b2af52bdd10ed3f3ce9b245eb13011456d0ef2ac6db7d5a6cc62fe31e7fff876c9be21e66004b7722c0d797420563a930e2afcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\brlqfnhv.exe

MD5
31b136df3d075b5b6a35e1acc1c25c91

SHA1
4d0ea72897b2ff2152f74801a5188bfe5df0e786

SHA256
6418a8143a1f38f1e0050f923d67ff234c7214d59f58a8da3cfb74da892c7419

SHA512
4a71d2212b57bf5c9a853ca1b2af52bdd10ed3f3ce9b245eb13011456d0ef2ac6db7d5a6cc62fe31e7fff876c9be21e66004b7722c0d797420563a930e2afcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpqduxkd.vbs

MD5
c0dfc72866e15a8a0eb9893f0896a465

SHA1
ab6c56586d2c1a7d62833141cd13f97aa8e709db

SHA256
bffb3e0f7dccc74ef7170f72535be768b3a49def7c1f93edc733eb6e2c8a5012

SHA512
beff0f21537f7e9f6fc7e7296df03d119575457140e8bd3f0879cf885ec0bb387bf458a0b34ddf60cdcff14066c4cb4681bf930a61a8c9c5465b5178d71eaa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\osoffybt.vbs

MD5
2f12f5d0a5768ab5262a35117371d3a9

SHA1
e4ca3669141978cc8151284c5d9a142b5c87616b

SHA256
3fb6f81b296f25ee46e5213e161d90d6782811eaaa4f0da8158d4eb57e96a45e

SHA512
35f6086e63e287663568eda7a1660d30a43d95d7eb8cd68e1de08a9b0853048153e6401d86d2ccb923288d08e9b3a1f1b7080465746ea6d6679abddfe4b7af00

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Arcate.pst

MD5
cb84d48d8a79791bee0d1e52740ccb92

SHA1
902e3d817e09274d47c1d00fc10e0e831a0a4964

SHA256
f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65

SHA512
20d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Avvenne.pst

MD5
3a9d03cccbf783554b8350fff9bbc8df

SHA1
636b49abfcadb9c4242772c65b1a4d6485df1cea

SHA256
e1f3771ea85d11ed1ce2f3686c087f5e53b94b6165d4105a8dc76f03ef8cbd1b

SHA512
c3c620e1e34fcfcbdfa7d84ab015c070a40265b67f40d9a7d857a4f695d6a05ab660dac767f1e9d6f9e667b5c040b9e807c610ade9cfa6f7931e3cd1c476fb8b

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Crudelta.pst

MD5
0d540d5ad9aae4b04416a647d36e6b8f

SHA1
1dc0f743995d6706927c2b01d5fa6860fb4ac118

SHA256
31c317f12b408beed5e0da60734a083797d0d0a599710875352cccab59970049

SHA512
d723b84e6fa7752a4bc2afa74aee80f88a3d0d6fb9c62462866738a37c7f77dfa7f8c590670afadd26dcdbdd9415d51de7df424a9c0eaf3b7af9458a3646ebbd

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ora.pst

MD5
3ca4dc18e084c073dbd4976dc9dfb602

SHA1
6a2f962587ab39e0ad7322d71ad590612052d466

SHA256
115b36d44dd6636f4fe7659c898d2440194ae6a6d9073e28475269c65fd53c17

SHA512
6d5a8285a010f250a2b8117b6f1b4cdab5d625f56feb3fe4aaff3036436db22d207ce823232881e93dcbae0cb5625f05c4227f4d3a7726334765c391b78b5fb4

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\p

MD5
cb84d48d8a79791bee0d1e52740ccb92

SHA1
902e3d817e09274d47c1d00fc10e0e831a0a4964

SHA256
f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65

SHA512
20d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\BRLQFN~1.DLL

MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\brlqfnhv.exe

MD5
31b136df3d075b5b6a35e1acc1c25c91

SHA1
4d0ea72897b2ff2152f74801a5188bfe5df0e786

SHA256
6418a8143a1f38f1e0050f923d67ff234c7214d59f58a8da3cfb74da892c7419

SHA512
4a71d2212b57bf5c9a853ca1b2af52bdd10ed3f3ce9b245eb13011456d0ef2ac6db7d5a6cc62fe31e7fff876c9be21e66004b7722c0d797420563a930e2afcb6

Download Submit
\Users\Admin\AppData\Local\Temp\brlqfnhv.exe

MD5
31b136df3d075b5b6a35e1acc1c25c91

SHA1
4d0ea72897b2ff2152f74801a5188bfe5df0e786

SHA256
6418a8143a1f38f1e0050f923d67ff234c7214d59f58a8da3cfb74da892c7419

SHA512
4a71d2212b57bf5c9a853ca1b2af52bdd10ed3f3ce9b245eb13011456d0ef2ac6db7d5a6cc62fe31e7fff876c9be21e66004b7722c0d797420563a930e2afcb6

Download Submit
\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/288-70-0x0000000000000000-mapping.dmp

Download
memory/316-77-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/316-73-0x0000000000000000-mapping.dmp

Download
memory/680-83-0x0000000000000000-mapping.dmp

Download
memory/784-60-0x0000000000000000-mapping.dmp

Download
memory/992-68-0x0000000000000000-mapping.dmp

Download
memory/1148-61-0x0000000000000000-mapping.dmp

Download
memory/1288-99-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1288-101-0x0000000002AD1000-0x000000000312F000-memory.dmp

Filesize
6.4MB

Download
memory/1288-103-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1288-96-0x0000000001FB0000-0x000000000256A000-memory.dmp

Filesize
5.7MB

Download
memory/1288-87-0x0000000000000000-mapping.dmp

Download
memory/1464-63-0x0000000000000000-mapping.dmp

Download
memory/1512-110-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/1512-100-0x0000000000000000-mapping.dmp

Download
memory/1512-108-0x0000000002050000-0x000000000260A000-memory.dmp

Filesize
5.7MB

Download
memory/1512-109-0x0000000002A01000-0x000000000305F000-memory.dmp

Filesize
6.4MB

Download
memory/1596-64-0x0000000000000000-mapping.dmp

Download
memory/1848-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1924-112-0x0000000000000000-mapping.dmp

Download
memory/1960-89-0x0000000002F20000-0x0000000003615000-memory.dmp

Filesize
7.0MB

Download
memory/1960-94-0x0000000000400000-0x0000000000DF2000-memory.dmp

Filesize
9.9MB

Download
memory/1960-97-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-81-0x0000000000000000-mapping.dmp

Download