Overview

overview

10

Static

static

a07a26961f...43.exe

windows7_x64

10

a07a26961f...43.exe

windows10_x64

10

Resubmissions

19-02-2022 18:44

220219-xdz2fachfn 10

31-01-2022 07:14

220131-h2552agegp 10

29-01-2022 08:45

220129-knq53agfcl 10

Analysis

  • max time kernel
    1205s
  • max time network
    1034s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    31-01-2022 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a07a26961fcd37fbbbe292225e069243.exe

  • Size

    1.2MB

  • MD5

    a07a26961fcd37fbbbe292225e069243

  • SHA1

    d4f3c4d7045865e52284544c1957cf3786902404

  • SHA256

    8b73e5a9e4093166d04fcee33db13db39dacbb6a2bb8282282e1ab9558fddc86

  • SHA512

    81fe9aa924055f4a039cd662d4244bbf9a48b6698fbb6bffd891cd59d55a613e67011bcc3ad2420f9d7bf4d2447abdccbf4caff086ab2ae7331e6aa3191fd769

Score
10/10
danabot4bankerdiscoverypersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

5.253.84.124:443

103.175.16.114:443

193.34.166.107:443
Attributes
  • embedded_hash

    422236FD601D11EE82825A484D26DD6F

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family

danabot

Version

2108

Botnet

4

C2

5.253.84.124:443

103.175.16.114:443

193.34.166.107:443
Attributes
  • embedded_hash

    422236FD601D11EE82825A484D26DD6F

  • type

    main

rsa_privkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 9 IoCs
  • suricata: ET MALWARE Danabot Key Exchange Request

    suricata: ET MALWARE Danabot Key Exchange Request

    suricata
  • Blocklisted process makes network request 5 IoCs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe
    "C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,z C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1348
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k LocalService
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,Rw06Szg=
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,ol9CMWZab2w=
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 6030
          4⤵
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:340
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            5⤵
              PID:3040

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\utpgu.tmp
      MD5

      7afff00e154aa57a778d18a45ddcabd8

      SHA1

      9bb34b9d087332ae717390616075d3e3dfc9652f

      SHA256

      640f483fda1814a612992e6ec1158538fe16deac109b4bbdf7d8b134635cafc6

      SHA512

      a27b906d94418611c917b855ebdcfe8ebf9776eee39378f4ef044f505674d99c0842c03d379c631787c672a8cd7fa326402cf81d6c93a472fd2a2d388a0c957d

      Download Submit
    • C:\ProgramData\utpgu.tmp
      MD5

      7671343c7a0acea6c211a3e48aeafa68

      SHA1

      351d8a20f490a8ef5a87b4a8d719db2bc1d97e8e

      SHA256

      bbdc7a3cfc70ea6924e8fc0798c9dd6c4dec70c825b5d7e0caea3521fc21fafb

      SHA512

      0b358170d75ac38ecf9dedd4008a7252fd53ca85cd5c2439927ab6badfbc92a07b73f223aa20dda30907aed06477c933c4b362ee022e029d2768d045e34e318a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • \Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll
      MD5

      22078973d714eb967f70f0c981c460fc

      SHA1

      e1b604762e14162116e2364de0e7a85c64f34925

      SHA256

      24b361e6dd7ad3dedcfd5979016a20b2d644af1563d234f580539051c480487c

      SHA512

      589bf47f84dbfcade0025445b78679eb3a5e5b45b27e4d1b689bc56710da5b613de142b2ae622768810dcfaecb156e8f872f4b260451e13317628ed880ce4859

      Download Submit
    • memory/340-405-0x00000215C8250000-0x00000215C8412000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/340-407-0x0000000000DF0000-0x0000000000FA1000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/920-134-0x0000000003F20000-0x0000000004070000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/920-135-0x0000000004570000-0x0000000005571000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/1348-151-0x0000000007730000-0x000000000774C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1348-143-0x00000000045A0000-0x00000000045D6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1348-146-0x0000000004682000-0x0000000004683000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1348-147-0x0000000006F80000-0x0000000006FA2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1348-148-0x0000000007930000-0x0000000007996000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1348-149-0x00000000078C0000-0x0000000007926000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1348-150-0x00000000079A0000-0x0000000007CF0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1348-145-0x0000000007030000-0x0000000007658000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1348-152-0x0000000007EB0000-0x0000000007EFB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1348-153-0x00000000080E0000-0x0000000008156000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1348-162-0x0000000009170000-0x00000000091A3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1348-163-0x000000007F1C0000-0x000000007F1C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1348-164-0x0000000007E50000-0x0000000007E6E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1348-169-0x00000000092A0000-0x0000000009345000-memory.dmp
      Filesize

      660KB

      Download
    • memory/1348-170-0x0000000009480000-0x0000000009514000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1348-171-0x0000000004683000-0x0000000004684000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1348-364-0x0000000009410000-0x000000000942A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1348-369-0x0000000009400000-0x0000000009408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1348-144-0x0000000004680000-0x0000000004681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2704-116-0x0000000002360000-0x000000000245B000-memory.dmp
      Filesize

      1004KB

      Download
    • memory/2704-117-0x0000000000400000-0x0000000000556000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3028-385-0x00000000043D0000-0x0000000004520000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3028-387-0x0000000004A20000-0x0000000005A21000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3028-406-0x0000000005A30000-0x0000000005CE0000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/3028-408-0x0000000004A20000-0x0000000005A21000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/3684-129-0x0000000003F70000-0x0000000004F71000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/4000-120-0x0000000005430000-0x0000000006431000-memory.dmp
      Filesize

      16.0MB

      Download