Overview

overview

10

Static

static

baabe38154...54.exe

windows7_x64

10

baabe38154...54.exe

windows10_x64

10

Resubmissions

29-09-2021 10:05

210929-l4j75aefbp 10

Analysis

  • max time kernel
    147s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    29-09-2021 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baabe38154bc2271d603513346457154.exe

  • Size

    1.1MB

  • MD5

    baabe38154bc2271d603513346457154

  • SHA1

    86ebdcd4ba7e7985c80f3897d5adba2d2c923d52

  • SHA256

    0c1978c1bc51c425f13e670074ddfd36d3e6e458dab5bcb1527c2b37953e13d6

  • SHA512

    149c353564df264c5d7f32f072fdcdc91e0c0ee12fe0508968003a887412fa9d47204abadc9d8c61cb955bdc1e3335db8f6f334a7838f62f95d3f28d8d576502

Score
10/10
danabot4bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

2052

Botnet

4

C2

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443
Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

rsa_privkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 16 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 37 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe
    "C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,s C:\Users\Admin\AppData\Local\Temp\BAABE3~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,dDBESGc=
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\SysWOW64\RUNDLL32.EXE
          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,VRFDelZCSQ==
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\system32\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17710
            5⤵
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              6⤵
                PID:1868
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD49C.tmp.ps1"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE4D4.tmp.ps1"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:280
            • C:\Windows\SysWOW64\nslookup.exe
              "C:\Windows\system32\nslookup.exe" -type=any localhost
              5⤵
                PID:1288
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:1312
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                4⤵
                  PID:288

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/280-110-0x0000000002542000-0x0000000002544000-memory.dmp

            Filesize

            8KB

            Download

          • memory/280-109-0x0000000002541000-0x0000000002542000-memory.dmp

            Filesize

            4KB

            Download

          • memory/280-108-0x0000000002540000-0x0000000002541000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1052-84-0x0000000002070000-0x00000000021D4000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1052-86-0x00000000034F0000-0x00000000034F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1052-87-0x00000000024B0000-0x0000000003495000-memory.dmp

            Filesize

            15.9MB

            Download

          • memory/1052-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1396-72-0x0000000000AA0000-0x0000000000C04000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1396-77-0x0000000002450000-0x0000000003435000-memory.dmp

            Filesize

            15.9MB

            Download

          • memory/1616-64-0x0000000001EA0000-0x0000000002004000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1616-74-0x00000000027F0000-0x00000000037D5000-memory.dmp

            Filesize

            15.9MB

            Download

          • memory/1616-65-0x0000000002210000-0x0000000002211000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1648-98-0x0000000002362000-0x0000000002364000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1648-96-0x0000000002360000-0x0000000002361000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1648-97-0x0000000002361000-0x0000000002362000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1700-91-0x0000000000170000-0x0000000000310000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1700-92-0x0000000001DA0000-0x0000000001F52000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/1700-89-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2040-56-0x0000000000400000-0x0000000000521000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2040-55-0x0000000002020000-0x0000000002127000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2040-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

            Filesize

            8KB

            Download