danabot | 8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
29-09-2022 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
Size

290KB
MD5

2c6b5d22740b0aa6d1cd4a6720117246
SHA1

d2227060929b88f8a16b2fec50318c12ca899a27
SHA256

8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537
SHA512

23e099f476a74cfee4767676b2cd287518898abdc2d73fb596b32e83838c2b6e7a09029b85d17e8e49c9d76c2a230e4959a2925a984c7104cb41c8594d9e78b1
SSDEEP

6144:zYfBgeMRrKsW3towlz877/ciz7CV0RwwVfgI:zVRr23mV0aCuRk

Score

10^/10

danabot redline insmix banker infostealer trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Extracted

Family

redline

Botnet

insmix

jamesmillion2.xyz:9420

Attributes

auth_value
f388a05524f756108c9e4b0f4c4bafb6

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

2B36.exe6235.exe

pid process

1444 2B36.exe
4860 6235.exe
Deletes itself 1 IoCs

Processes:

pid process

2952

pid	process
1444	2B36.exe
4860	6235.exe

pid	process
2952

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe

pid	process
328	8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
328	8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2952
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe

pid process

328 8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6235.exe

description pid process

Token: SeShutdownPrivilege 2952
Token: SeCreatePagefilePrivilege 2952
Token: SeDebugPrivilege 4860 6235.exe

pid	process
2952

description	pid	process
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952
Token: SeDebugPrivilege	4860	6235.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2B36.exe

description	pid	process	target process
PID 2952 wrote to memory of 1444	2952		2B36.exe
PID 2952 wrote to memory of 1444	2952		2B36.exe
PID 2952 wrote to memory of 1444	2952		2B36.exe
PID 1444 wrote to memory of 1324	1444	2B36.exe	appidtel.exe
PID 1444 wrote to memory of 1324	1444	2B36.exe	appidtel.exe
PID 1444 wrote to memory of 1324	1444	2B36.exe	appidtel.exe
PID 2952 wrote to memory of 4860	2952		6235.exe
PID 2952 wrote to memory of 4860	2952		6235.exe
PID 2952 wrote to memory of 4860	2952		6235.exe

C:\Users\Admin\AppData\Local\Temp\8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe
"C:\Users\Admin\AppData\Local\Temp\8af4dded3d07dddf19d216bbcfd48d9a926407757a67903d0b901cbf03c64537.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:328

C:\Users\Admin\AppData\Local\Temp\2B36.exe
C:\Users\Admin\AppData\Local\Temp\2B36.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\6235.exe
C:\Users\Admin\AppData\Local\Temp\6235.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B36.exe
Filesize
1.4MB

MD5
83715ff8db0e224f03322b8407dedccc

SHA1
07bf71acd041e5e601f0a24b7fae3174f0ff316e

SHA256
a6e3f4da4ebd6ca84f8fa21e5e5390fd941c3620e322434991d2e9301e76ca4f

SHA512
7d40efe91bc15eb4f92a38d165e460a68a58f7533c312cc4be345ea32a458109bc204cf15269ee33636de024548f66231220f57e15e12ebc339721866661422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B36.exe
Filesize
1.4MB

MD5
83715ff8db0e224f03322b8407dedccc

SHA1
07bf71acd041e5e601f0a24b7fae3174f0ff316e

SHA256
a6e3f4da4ebd6ca84f8fa21e5e5390fd941c3620e322434991d2e9301e76ca4f

SHA512
7d40efe91bc15eb4f92a38d165e460a68a58f7533c312cc4be345ea32a458109bc204cf15269ee33636de024548f66231220f57e15e12ebc339721866661422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6235.exe
Filesize
304KB

MD5
15f1517f0ceaaf9b6c78cf7625510c07

SHA1
8aabce20aff43476586a1b69b0b761a7f39d1e7e

SHA256
d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

SHA512
931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

Download Submit
C:\Users\Admin\AppData\Local\Temp\6235.exe
Filesize
304KB

MD5
15f1517f0ceaaf9b6c78cf7625510c07

SHA1
8aabce20aff43476586a1b69b0b761a7f39d1e7e

SHA256
d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

SHA512
931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

Download Submit
memory/328-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-148-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-151-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/328-152-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-157-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-158-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1324-194-0x0000000000000000-mapping.dmp

Download
memory/1324-195-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-190-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-181-0x0000000000AD0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/1444-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-183-0x00000000024A0000-0x000000000277B000-memory.dmp

Filesize
2.9MB

Download
memory/1444-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-187-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-191-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-192-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-193-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-198-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1444-300-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1444-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1444-159-0x0000000000000000-mapping.dmp

Download
memory/1444-297-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1444-295-0x00000000024A0000-0x000000000277B000-memory.dmp

Filesize
2.9MB

Download
memory/1444-294-0x0000000000AD0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/4860-277-0x00000000059A0000-0x00000000059DE000-memory.dmp

Filesize
248KB

Download
memory/4860-260-0x00000000021D0000-0x0000000002207000-memory.dmp

Filesize
220KB

Download
memory/4860-261-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4860-272-0x0000000005380000-0x0000000005986000-memory.dmp

Filesize
6.0MB

Download
memory/4860-273-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/4860-274-0x0000000004D60000-0x0000000004E6A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-259-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4860-285-0x0000000005B10000-0x0000000005B5B000-memory.dmp

Filesize
300KB

Download
memory/4860-258-0x0000000002420000-0x000000000244E000-memory.dmp

Filesize
184KB

Download
memory/4860-256-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/4860-251-0x0000000002350000-0x0000000002380000-memory.dmp

Filesize
192KB

Download
memory/4860-298-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/4860-207-0x0000000000000000-mapping.dmp

Download