Overview

overview

10

Static

static

748984d40e...3d.exe

windows7_x64

9

748984d40e...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    748984d40e7ab68b0a130a620b550a3d.exe

  • Size

    5.9MB

  • MD5

    748984d40e7ab68b0a130a620b550a3d

  • SHA1

    ac800bb6aaf3172d3d0170300f8ba3dc03304b60

  • SHA256

    4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1

  • SHA512

    af6fc23b6ec54e36a150f824060b3b14fbc39c0dd88023bda5891a99d79e6aa81a8300fc053b3f8c004d25399b61e5012898a636b6d3e5e8f695d49df8f93f5c

Score
10/10
danabotbankerevasionthemidatrojan

Malware Config

Extracted

Family

danabot

C2

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443
Attributes
  • embedded_hash

    F4711E27D559B4AEB1A081A1EB0AC465

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\748984d40e7ab68b0a130a620b550a3d.exe
    "C:\Users\Admin\AppData\Local\Temp\748984d40e7ab68b0a130a620b550a3d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
      "C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
        "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        PID:2388
    • C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
      "C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Users\Admin\AppData\Local\Temp\sqohtjwxmc.exe
        "C:\Users\Admin\AppData\Local\Temp\sqohtjwxmc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SQOHTJ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\SQOHTJ~1.EXE
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:1040
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uksmncvkjp.vbs"
        3⤵
          PID:2856
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qehtqfiliihs.vbs"
          3⤵
          • Blocklisted process makes network request
          • Modifies system certificate store
          PID:1736

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SQOHTJ~1.DLL
      MD5

      e9097da0e32ffdd73a63ee1f3ae2eecb

      SHA1

      c06cddfaa09fddf21a66ae63851b84d35530b895

      SHA256

      c718dc6bab05e1de10aca117fc13f1741366ebd09b4036b0b7297b03b252658b

      SHA512

      d00cc189fce713bf8e234aacd6220826f6934e1c4f1dddadac6009e7c2e59f00f2f072f069829c33c4f0cbbd3e7b11e6008117007bf300274f8d1daa2585ffb2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
      MD5

      dee7f81724e172738ba8942a2c56c9d0

      SHA1

      debcc55ada38e5252a985dd205749bec5cc423cb

      SHA256

      783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

      SHA512

      e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
      MD5

      dee7f81724e172738ba8942a2c56c9d0

      SHA1

      debcc55ada38e5252a985dd205749bec5cc423cb

      SHA256

      783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

      SHA512

      e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
      MD5

      5f1ed0072d716d250b0eaf6982cdc03b

      SHA1

      62b3ede1369d53017bad62ddda5072817be5ae42

      SHA256

      b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

      SHA512

      e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
      MD5

      5f1ed0072d716d250b0eaf6982cdc03b

      SHA1

      62b3ede1369d53017bad62ddda5072817be5ae42

      SHA256

      b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

      SHA512

      e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qehtqfiliihs.vbs
      MD5

      d8ec73fc505a91bf46b8d95bcd18e0b8

      SHA1

      942ffe106f5458bd6bbb6c20fc94ba1dfda7041e

      SHA256

      95b1fe47c88ab08f7456b3309c198fbfd52c5d8e1cf12e2abda58efc14111e6e

      SHA512

      34a1dc37439d9cfeedcecce9fd2653159d8981c1f5cf5f1e9daf14f7f6b78018ae52b3299e07a05f7f52cef032a81d094100a18839bf80c5471c4c3cd980a36c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sqohtjwxmc.exe
      MD5

      2cb997c5e95883623e1dc0d4b2ac2fa0

      SHA1

      4f5d87d8ba60df5191a4a9f72d9c60f6ce925f6a

      SHA256

      3a754304ab6e04dd4317a89bf85eff6cc6ddb9921b277d8f8475dd22850911d1

      SHA512

      2ae6c2c3af5238d27f450722c33ae0552fe5bf03347310d1da52696b0cdd07c27d9aaae1acc622f22bf562b22df62c4bc64bb6da579acb1790908634903c4eeb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sqohtjwxmc.exe
      MD5

      2cb997c5e95883623e1dc0d4b2ac2fa0

      SHA1

      4f5d87d8ba60df5191a4a9f72d9c60f6ce925f6a

      SHA256

      3a754304ab6e04dd4317a89bf85eff6cc6ddb9921b277d8f8475dd22850911d1

      SHA512

      2ae6c2c3af5238d27f450722c33ae0552fe5bf03347310d1da52696b0cdd07c27d9aaae1acc622f22bf562b22df62c4bc64bb6da579acb1790908634903c4eeb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uksmncvkjp.vbs
      MD5

      a20e54fad601e7f05f5dd49dbed10dca

      SHA1

      c064e7deb52390223837f8a5d2584d9d9cdcecfd

      SHA256

      5c0fbb9e372172d7339ad96bc10603bce8e65eecb58e85ffab3d3cca10482f10

      SHA512

      7bde6adaf7a585c4947a19aed364172e8b1a9aa7559f4c4a9d1817628199ba003c4ec83a3eef8675cab87c05b5f19ec949bcee23f6f7510d1ecc3e101aadc2ab

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      MD5

      dee7f81724e172738ba8942a2c56c9d0

      SHA1

      debcc55ada38e5252a985dd205749bec5cc423cb

      SHA256

      783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

      SHA512

      e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      MD5

      dee7f81724e172738ba8942a2c56c9d0

      SHA1

      debcc55ada38e5252a985dd205749bec5cc423cb

      SHA256

      783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

      SHA512

      e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SQOHTJ~1.DLL
      MD5

      e9097da0e32ffdd73a63ee1f3ae2eecb

      SHA1

      c06cddfaa09fddf21a66ae63851b84d35530b895

      SHA256

      c718dc6bab05e1de10aca117fc13f1741366ebd09b4036b0b7297b03b252658b

      SHA512

      d00cc189fce713bf8e234aacd6220826f6934e1c4f1dddadac6009e7c2e59f00f2f072f069829c33c4f0cbbd3e7b11e6008117007bf300274f8d1daa2585ffb2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SQOHTJ~1.DLL
      MD5

      e9097da0e32ffdd73a63ee1f3ae2eecb

      SHA1

      c06cddfaa09fddf21a66ae63851b84d35530b895

      SHA256

      c718dc6bab05e1de10aca117fc13f1741366ebd09b4036b0b7297b03b252658b

      SHA512

      d00cc189fce713bf8e234aacd6220826f6934e1c4f1dddadac6009e7c2e59f00f2f072f069829c33c4f0cbbd3e7b11e6008117007bf300274f8d1daa2585ffb2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsbD3EC.tmp\UAC.dll
      MD5

      adb29e6b186daa765dc750128649b63d

      SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

      SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

      SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

      Download Submit
    • memory/1040-147-0x0000000000E10000-0x0000000000F70000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1040-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1168-125-0x00007FF7C8700000-0x00007FF7C901A000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/1168-123-0x00007FF7C8700000-0x00007FF7C901A000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/1168-122-0x00007FF7C8700000-0x00007FF7C901A000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/1168-116-0x0000000000000000-mapping.dmp
      Download
    • memory/1364-148-0x0000000000400000-0x0000000002FE6000-memory.dmp
      Filesize

      43.9MB

      Download
    • memory/1364-142-0x0000000004E40000-0x0000000004F45000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1364-141-0x0000000004D50000-0x0000000004E3E000-memory.dmp
      Filesize

      952KB

      Download
    • memory/1364-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-124-0x0000000000890000-0x0000000000EFC000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/1548-129-0x0000000000890000-0x0000000000EFC000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/1548-128-0x0000000000890000-0x0000000000EFC000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/1548-126-0x0000000000890000-0x0000000000EFC000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/1548-127-0x0000000077DD0000-0x0000000077F5E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1548-119-0x0000000000000000-mapping.dmp
      Download
    • memory/1736-149-0x0000000000000000-mapping.dmp
      Download
    • memory/2388-135-0x00007FF6F74D0000-0x00007FF6F7DEA000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/2388-134-0x00007FF6F74D0000-0x00007FF6F7DEA000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/2388-133-0x00007FF6F74D0000-0x00007FF6F7DEA000-memory.dmp
      Filesize

      9.1MB

      Download
    • memory/2388-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2856-139-0x0000000000000000-mapping.dmp
      Download