Overview

overview

10

Static

static

baabe38154...54.exe

windows7_x64

10

baabe38154...54.exe

windows10_x64

10

Resubmissions

29-09-2021 10:05

210929-l4j75aefbp 10

Analysis

  • max time kernel
    117s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-09-2021 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baabe38154bc2271d603513346457154.exe

  • Size

    1.1MB

  • MD5

    baabe38154bc2271d603513346457154

  • SHA1

    86ebdcd4ba7e7985c80f3897d5adba2d2c923d52

  • SHA256

    0c1978c1bc51c425f13e670074ddfd36d3e6e458dab5bcb1527c2b37953e13d6

  • SHA512

    149c353564df264c5d7f32f072fdcdc91e0c0ee12fe0508968003a887412fa9d47204abadc9d8c61cb955bdc1e3335db8f6f334a7838f62f95d3f28d8d576502

Score
10/10
danabot4bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

2052

Botnet

4

C2

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443
Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

rsa_privkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 6 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 50 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe
    "C:\Users\Admin\AppData\Local\Temp\baabe38154bc2271d603513346457154.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,s C:\Users\Admin\AppData\Local\Temp\BAABE3~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,eihSSkVu
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3864
        • C:\Windows\SysWOW64\RUNDLL32.EXE
          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BAABE3~1.DLL,UBc4NTdw
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\system32\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17897
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2548
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              6⤵
                PID:4056
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB869.tmp.ps1"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3792
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE0D.tmp.ps1"
            4⤵
              PID:1088
              • C:\Windows\SysWOW64\nslookup.exe
                "C:\Windows\system32\nslookup.exe" -type=any localhost
                5⤵
                  PID:2288
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                4⤵
                  PID:1700
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                  4⤵
                    PID:1724

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/652-115-0x0000000000400000-0x0000000000521000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/652-114-0x0000000002490000-0x0000000002597000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/860-125-0x0000000004FA0000-0x0000000005F85000-memory.dmp

              Filesize

              15.9MB

              Download

            • memory/1088-321-0x0000000004DA2000-0x0000000004DA3000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1088-422-0x0000000004DA3000-0x0000000004DA4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1088-319-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2024-148-0x00000000051F0000-0x00000000061D5000-memory.dmp

              Filesize

              15.9MB

              Download

            • memory/2024-157-0x00000000064B0000-0x00000000064B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2548-158-0x0000000000C30000-0x0000000000DD0000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2548-159-0x000001ADEDF00000-0x000001ADEE0B2000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3144-131-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3144-129-0x00000000042B0000-0x0000000004414000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3144-136-0x00000000048A0000-0x0000000005885000-memory.dmp

              Filesize

              15.9MB

              Download

            • memory/3792-173-0x0000000007480000-0x0000000007481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-211-0x0000000008C80000-0x0000000008C81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-184-0x0000000008A60000-0x0000000008A61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-194-0x000000000A290000-0x000000000A291000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-175-0x0000000007482000-0x0000000007483000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-196-0x0000000009840000-0x0000000009841000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3792-214-0x0000000007483000-0x0000000007484000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-207-0x000000007F2E0000-0x000000007F2E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-162-0x0000000008070000-0x0000000008071000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-180-0x0000000008A20000-0x0000000008A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-212-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-213-0x0000000007393000-0x0000000007394000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-204-0x0000000008B00000-0x0000000008B01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-176-0x00000000085E0000-0x00000000085E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-197-0x00000000099F0000-0x0000000009A23000-memory.dmp

              Filesize

              204KB

              Download

            • memory/3864-178-0x0000000008B40000-0x0000000008B41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-164-0x0000000008290000-0x0000000008291000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-163-0x0000000008220000-0x0000000008221000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-210-0x0000000009B20000-0x0000000009B21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-161-0x0000000007950000-0x0000000007951000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-146-0x0000000007392000-0x0000000007393000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-145-0x0000000007390000-0x0000000007391000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-144-0x00000000079D0000-0x00000000079D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-436-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-443-0x0000000009BE0000-0x0000000009BE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3864-140-0x0000000007240000-0x0000000007241000-memory.dmp

              Filesize

              4KB

              Download