Overview

overview

10

Static

static

8

8215f0ace6...76.exe

windows7_x64

10

8215f0ace6...76.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    08-02-2022 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe

  • Size

    4.3MB

  • MD5

    bdde08b2fb6638e9a34a069aa1a29f61

  • SHA1

    8422f03e01dd55e6ef146a23fd745f172d0b94b7

  • SHA256

    8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176

  • SHA512

    5e0634490dc7398003d8d44859284d290e72672611f8b149edab3dac98f6eec93cc2fb4432c8e4bbc547a952ad0174de96707b289c970975ae47a286a930dccd

Score
10/10
danabot3bankerdiscoveryspywarestealersuricatatrojan

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

104.227.34.227:443

64.188.20.187:443

51.195.73.129:443

176.123.2.249:443
Attributes
  • embedded_hash

    6266E79288DFE2AE2C2DB47563C7F93A

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Danabot Key Exchange Request

    suricata: ET MALWARE Danabot Key Exchange Request

    suricata
  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 8 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe
    "C:\Users\Admin\AppData\Local\Temp\8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLL,YAhY
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 544
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3444
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4572 -ip 4572
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:4668
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3784
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLL
    MD5

    8ae60d14802fac0d5d8ddf4ab4e64cfd

    SHA1

    f8023b26304a891897b57c10a1d0bdec4f9c0d6a

    SHA256

    b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

    SHA512

    1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dll
    MD5

    8ae60d14802fac0d5d8ddf4ab4e64cfd

    SHA1

    f8023b26304a891897b57c10a1d0bdec4f9c0d6a

    SHA256

    b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

    SHA512

    1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dll
    MD5

    8ae60d14802fac0d5d8ddf4ab4e64cfd

    SHA1

    f8023b26304a891897b57c10a1d0bdec4f9c0d6a

    SHA256

    b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

    SHA512

    1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dll
    MD5

    8ae60d14802fac0d5d8ddf4ab4e64cfd

    SHA1

    f8023b26304a891897b57c10a1d0bdec4f9c0d6a

    SHA256

    b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

    SHA512

    1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dll
    MD5

    8ae60d14802fac0d5d8ddf4ab4e64cfd

    SHA1

    f8023b26304a891897b57c10a1d0bdec4f9c0d6a

    SHA256

    b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8

    SHA512

    1201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677

    Download Submit
  • memory/3784-154-0x000001C37CF80000-0x000001C37CF90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-156-0x000001C37E360000-0x000001C37E364000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3784-155-0x000001C37D760000-0x000001C37D770000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4404-145-0x00000000020D0000-0x000000000249B000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/4404-153-0x00000000028E1000-0x0000000002F40000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4404-147-0x00000000028E0000-0x0000000002F40000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4404-148-0x0000000003150000-0x0000000003151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4572-130-0x0000000002E70000-0x000000000323B000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/4572-132-0x0000000000400000-0x00000000007E9000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4572-131-0x0000000003240000-0x000000000361D000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4636-138-0x0000000003D00000-0x0000000003D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4636-146-0x0000000003491000-0x0000000003AF0000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4636-137-0x0000000003490000-0x0000000003AF0000-memory.dmp
    Filesize

    6.4MB

    Download
  • memory/4636-136-0x0000000002AC0000-0x0000000002E8B000-memory.dmp
    Filesize

    3.8MB

    Download