Malware Analysis Report

2024-10-19 11:59

Sample ID 221130-repn7sag6y
Target c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f
SHA256 c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f
Tags
anubis banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f

Threat Level: Known bad

The file c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f was found to be: Known bad.

Malicious Activity Summary

anubis banker infostealer trojan

Anubis banker

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Requests dangerous framework permissions

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 14:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 14:06

Reported

2022-12-02 12:26

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"

Signatures

Anubis banker

banker trojan infostealer anubis

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe

"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"

C:\Users\Admin\AppData\Local\Temp\7z2.exe

"C:\Users\Admin\AppData\Local\Temp\7z2.exe" x "C:\Users\Admin\AppData\Local\Temp\stubfile.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -y

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 67.24.27.254:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.189.173.7:443 tcp
N/A 52.109.13.62:443 tcp
N/A 13.107.4.50:80 tcp
N/A 13.107.4.50:80 tcp
N/A 13.107.4.50:80 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp

Files

memory/4020-132-0x0000000000920000-0x00000000009B4000-memory.dmp

memory/4020-133-0x00000000052E0000-0x000000000537C000-memory.dmp

memory/4020-134-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/4020-135-0x0000000005450000-0x00000000054E2000-memory.dmp

memory/4020-136-0x0000000005410000-0x000000000541A000-memory.dmp

memory/4020-137-0x0000000005690000-0x00000000056E6000-memory.dmp

memory/5068-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7z2.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\stubfile.7z

MD5 cda2a5aac4fcb466f42e311fa1082a3d
SHA1 cc9197bef10ed6b24161613bcfa41f1dd9b6e29d
SHA256 4f0945e90196e2fbeb939fb75b04969767e48f78c06920fd6962712fa3202faa
SHA512 9e4d8567a0569e7aed2058c6b972e972eabf38060005202bfb37799a18324da981e2176b9cdedb6272d3ab7db3dffd196984f93f9c711e664f164891e31e2a9f

C:\Users\Admin\AppData\Local\Temp\stub.apk

MD5 907e167bab28358e03413f4a32ff91f1
SHA1 b72068b03565bcb8ac2322a8d8def67c975f488f
SHA256 3c302715512ce87b98ffb0e7ecb8c8638d25c5b0462fd127bb1c638e99b37938
SHA512 003120d75bc469ed2e196946ff7ec6d002e9916f5eb35f303738934f7632ff316e1c527688d742952c17f9db143d1d73803fd1727933e1f26d8fd9ec1dad1de6

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 14:06

Reported

2022-12-02 12:25

Platform

win7-20220812-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"

Signatures

Anubis banker

banker trojan infostealer anubis

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7z2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe

"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"

C:\Users\Admin\AppData\Local\Temp\7z2.exe

"C:\Users\Admin\AppData\Local\Temp\7z2.exe" x "C:\Users\Admin\AppData\Local\Temp\stubfile.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -y

Network

N/A

Files

memory/1520-54-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/1520-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

memory/1520-56-0x00000000050F0000-0x0000000005194000-memory.dmp

\Users\Admin\AppData\Local\Temp\7z2.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\7z2.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/900-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7z2.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\stubfile.7z

MD5 cda2a5aac4fcb466f42e311fa1082a3d
SHA1 cc9197bef10ed6b24161613bcfa41f1dd9b6e29d
SHA256 4f0945e90196e2fbeb939fb75b04969767e48f78c06920fd6962712fa3202faa
SHA512 9e4d8567a0569e7aed2058c6b972e972eabf38060005202bfb37799a18324da981e2176b9cdedb6272d3ab7db3dffd196984f93f9c711e664f164891e31e2a9f

C:\Users\Admin\AppData\Local\Temp\stub.apk

MD5 907e167bab28358e03413f4a32ff91f1
SHA1 b72068b03565bcb8ac2322a8d8def67c975f488f
SHA256 3c302715512ce87b98ffb0e7ecb8c8638d25c5b0462fd127bb1c638e99b37938
SHA512 003120d75bc469ed2e196946ff7ec6d002e9916f5eb35f303738934f7632ff316e1c527688d742952c17f9db143d1d73803fd1727933e1f26d8fd9ec1dad1de6

memory/1520-63-0x0000000004C05000-0x0000000004C16000-memory.dmp