Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
25-10-2022 15:45
General
-
Target
1addd16c4c3a5faaf16a1fff892d6a01d9cc5820b680d0958023cccc0eac304c.exe
-
Size
255KB
-
MD5
ea62511ffc140ad81f6ad4519bb68d9d
-
SHA1
c59a03bb252dd358c405781a7dacbebe5cd166d3
-
SHA256
1addd16c4c3a5faaf16a1fff892d6a01d9cc5820b680d0958023cccc0eac304c
-
SHA512
d8c1b21ef4816ecd377b379e9d82e270097127ee284412390c615935896f03b797b641177c4ac9944e6c5d5f01ea49ed899054846d4d18927ec267e098027604
-
SSDEEP
3072:NXVc3ffKbL2SSy1Q+fPA84RWz9ruWENQVUtGKFRWpmw:Ji3CLEkQ+fPA83zzYQVU0KzWpN
Malware Config
Extracted
danabot
-
embedded_hash
569235DCA8F16ED8310BBACCB674F896
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1addd16c4c3a5faaf16a1fff892d6a01d9cc5820b680d0958023cccc0eac304c.exe"C:\Users\Admin\AppData\Local\Temp\1addd16c4c3a5faaf16a1fff892d6a01d9cc5820b680d0958023cccc0eac304c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EA26.exeC:\Users\Admin\AppData\Local\Temp\EA26.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\appidtel.exeC:\Windows\system32\appidtel.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 6162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 9602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 10962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 10282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 9522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 10682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 12482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 13122⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8DE9.exeC:\Users\Admin\AppData\Local\Temp\8DE9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 17562⤵
- Program crash
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8DE9.exeFilesize
318KB
MD5e58c70e8e2cde5c7aee3975db0a2e559
SHA14c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe
SHA2562a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf
SHA512b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8
-
C:\Users\Admin\AppData\Local\Temp\8DE9.exeFilesize
318KB
MD5e58c70e8e2cde5c7aee3975db0a2e559
SHA14c88ba2a9c7cd614c74fdb34d17ee5d82fc6a4fe
SHA2562a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf
SHA512b4a49e871630b96e94833ca794c2982e96ceb03052fcfbe58e7b3c7e2868a5d2f837f0ed8173bef0b22ba38be28ec22584fabd0d199b0706ae71b9481880adf8
-
C:\Users\Admin\AppData\Local\Temp\EA26.exeFilesize
8.4MB
MD5febec851b0cd98f6b628a1ef567f6ecb
SHA172409831f8ddf8b7e97be8a63af7c7d93fed8249
SHA256d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34
SHA512545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3
-
C:\Users\Admin\AppData\Local\Temp\EA26.exeFilesize
8.4MB
MD5febec851b0cd98f6b628a1ef567f6ecb
SHA172409831f8ddf8b7e97be8a63af7c7d93fed8249
SHA256d08d5bcd7ac37694068e193afbff3460992a5b44d599bb2642529622a5c69a34
SHA512545cb635fdebace748edfa94b4b4a840fbacf21d481ee05f2bdf35f88ffa7496d1bdeef720ee98841956313f62b575a16854d9cdc83ef8c81973451cb00b37e3
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\ProgramData\sqlite3.dllFilesize
1.1MB
MD51f44d4d3087c2b202cf9c90ee9d04b0f
SHA1106a3ebc9e39ab6ddb3ff987efb6527c956f192d
SHA2564841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
SHA512b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45
-
memory/1876-258-0x0000000000400000-0x0000000002C3D000-memory.dmpFilesize
40.2MB
-
memory/1876-249-0x0000000002D90000-0x0000000002DD9000-memory.dmpFilesize
292KB
-
memory/1876-248-0x0000000002FF1000-0x000000000301D000-memory.dmpFilesize
176KB
-
memory/1876-296-0x0000000002FF1000-0x000000000301D000-memory.dmpFilesize
176KB
-
memory/1876-203-0x0000000000000000-mapping.dmp
-
memory/1876-297-0x0000000000400000-0x0000000002C3D000-memory.dmpFilesize
40.2MB
-
memory/2112-183-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-169-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-345-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2112-344-0x0000000007350000-0x0000000007E02000-memory.dmpFilesize
10.7MB
-
memory/2112-310-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2112-202-0x0000000003790000-0x0000000003FD2000-memory.dmpFilesize
8.3MB
-
memory/2112-201-0x0000000005890000-0x0000000006266000-memory.dmpFilesize
9.8MB
-
memory/2112-200-0x0000000000400000-0x0000000003455000-memory.dmpFilesize
48.3MB
-
memory/2112-186-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-187-0x0000000005890000-0x0000000006266000-memory.dmpFilesize
9.8MB
-
memory/2112-185-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-184-0x0000000003790000-0x0000000003FD2000-memory.dmpFilesize
8.3MB
-
memory/2112-182-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-181-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-180-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-178-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-179-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-177-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-176-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-175-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-174-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-173-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-172-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-171-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-153-0x0000000000000000-mapping.dmp
-
memory/2112-168-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-155-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-156-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-157-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-158-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-159-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-160-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-161-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-170-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-164-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-165-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-166-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2112-167-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-150-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-138-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-128-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-152-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2896-149-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-151-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-130-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-148-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-147-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-146-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-145-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2896-144-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-142-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-143-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-141-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-116-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-135-0x0000000002C30000-0x0000000002D7A000-memory.dmpFilesize
1.3MB
-
memory/2896-140-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-139-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-129-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-131-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-132-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-133-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-137-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-136-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-134-0x0000000002ED1000-0x0000000002EE6000-memory.dmpFilesize
84KB
-
memory/2896-127-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-126-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-125-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-124-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-123-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-122-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-121-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-120-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-119-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-118-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2896-117-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/3632-190-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/3632-189-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/3632-188-0x0000000000000000-mapping.dmp