Overview

overview

10

Static

static

697a11fb5e...83.exe

windows7-x64

10

697a11fb5e...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe

  • Size

    4.0MB

  • MD5

    817e14be1b3a0979390a8c3cc7c4f9d1

  • SHA1

    ce294e099cefdcfb41ef8463a52be5f0dcd0e992

  • SHA256

    697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783

  • SHA512

    1fc1c1917b583d37ce57903c71a8b987bc3333d0cc309e933dde2f7f816ce5b8e42dd7c883eefd2cbd198952979fb38052cdb1e0756ae023263c4b85db898942

  • SSDEEP

    98304:xiFrwPbHPPquDjTdNwoTPI//JSGZoTw899Y72en:x5bnqunT7woqJpyTw899iH

Score
10/10
danabot3bankercollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

192.236.192.238:443
Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 26 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe
    "C:\Users\Admin\AppData\Local\Temp\697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\697A11~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\697A11~1.DLL,rFBcfI0=
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Loads dropped DLL
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:4896
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFEA8.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5517.tmp.ps1"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            5⤵
              PID:4948
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
            4⤵
              PID:4796
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
              4⤵
                PID:3472
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 444
            2⤵
            • Program crash
            PID:4944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3312 -ip 3312
          1⤵
            PID:2820

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          3
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Email Collection

          2
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            6ad58b45ba900fe2b784c35fe1ddd496

            SHA1

            7701cf4dfebc92b77e3d16a4094dac0def34f13a

            SHA256

            139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

            SHA512

            168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            17KB

            MD5

            80ab80e8adfc9e4f1871d3a14b365725

            SHA1

            ebeb1f097fc16fc7dee4a4f13084e57545a26a4f

            SHA256

            eebaf76616325e6f3065df05726cd8b3b1eb872f7c57836a79b15377760b5826

            SHA512

            9ded9540f7918f88e518db81312bb410099006acb26f6adafd46d47cd154888dd207a5ebf73be1fd82a26957aa603e1a6bc1c364775cbfaaa47dde1d706ae47c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\697A11~1.DLL
            Filesize

            3.8MB

            MD5

            bfd6071199ed716a90c57a78b45274b4

            SHA1

            c2af91e2fee92907868eff13a39c2b3787fca4f1

            SHA256

            b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

            SHA512

            cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dll
            Filesize

            3.8MB

            MD5

            bfd6071199ed716a90c57a78b45274b4

            SHA1

            c2af91e2fee92907868eff13a39c2b3787fca4f1

            SHA256

            b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

            SHA512

            cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dll
            Filesize

            3.8MB

            MD5

            bfd6071199ed716a90c57a78b45274b4

            SHA1

            c2af91e2fee92907868eff13a39c2b3787fca4f1

            SHA256

            b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

            SHA512

            cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dll
            Filesize

            3.8MB

            MD5

            bfd6071199ed716a90c57a78b45274b4

            SHA1

            c2af91e2fee92907868eff13a39c2b3787fca4f1

            SHA256

            b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

            SHA512

            cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dll
            Filesize

            3.8MB

            MD5

            bfd6071199ed716a90c57a78b45274b4

            SHA1

            c2af91e2fee92907868eff13a39c2b3787fca4f1

            SHA256

            b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1

            SHA512

            cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp5517.tmp.ps1
            Filesize

            80B

            MD5

            ffe322a356857c1a5c6d2117df0eea41

            SHA1

            6714667088139618ee159132befc87b42cc59b13

            SHA256

            822abe0b21ab0d8f8248dc3c97943e1009dc81b761e698e154041f3994c071f0

            SHA512

            a9ffe7cc077ff0189076e7b944b2884267667830eb7afb910abfe537df733cb16bc678fc083af26f093356e1ee1ff29fa4094dab89340bfd942dcaa5545e66f1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp5518.tmp
            Filesize

            86B

            MD5

            1860260b2697808b80802352fe324782

            SHA1

            f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

            SHA256

            0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

            SHA512

            d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmpFEA8.tmp.ps1
            Filesize

            261B

            MD5

            d08c2709e4c2db97e49ab7f48b1019b7

            SHA1

            ac2a1602ccf40cdbabbebdac62ae81883e3a73ef

            SHA256

            8b63e6e834763eda5b9d4b2fbb130a54f558b9e18146de0c62430ff4bf33c01b

            SHA512

            3111603f2db44760829ce2223cd3bcd57356887ea649378b0173f746d18313eda5f306288bd803f601a1181a7de9e9b7c6eb693c7a4d4446c8b7426d42efaa4f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmpFEA9.tmp
            Filesize

            1KB

            MD5

            c416c12d1b2b1da8c8655e393b544362

            SHA1

            fb1a43cd8e1c556c2d25f361f42a21293c29e447

            SHA256

            0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

            SHA512

            cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

            Download Submit
          • memory/1660-165-0x0000000000000000-mapping.dmp
            Download
          • memory/1792-140-0x0000000002F30000-0x0000000003592000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/1792-142-0x0000000002F30000-0x0000000003592000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/1792-146-0x0000000002F30000-0x0000000003592000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/1792-135-0x0000000000000000-mapping.dmp
            Download
          • memory/1792-139-0x00000000025E0000-0x00000000029AE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/2356-160-0x0000000005490000-0x000000000549A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2356-158-0x00000000066F0000-0x000000000670E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/2356-151-0x0000000000000000-mapping.dmp
            Download
          • memory/2356-163-0x0000000006A60000-0x0000000006A68000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2356-153-0x0000000002DA0000-0x0000000002DD6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/2356-154-0x0000000005820000-0x0000000005E48000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/2356-155-0x0000000005720000-0x0000000005742000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2356-156-0x0000000006000000-0x0000000006066000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2356-157-0x0000000006070000-0x00000000060D6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2356-162-0x0000000006C40000-0x0000000006C5A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2356-161-0x0000000007D90000-0x000000000840A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/3312-132-0x00000000010C5000-0x0000000001492000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/3312-150-0x0000000000400000-0x0000000000C93000-memory.dmp
            Filesize

            8.6MB

            Download
          • memory/3312-149-0x00000000014A0000-0x000000000187F000-memory.dmp
            Filesize

            3.9MB

            Download
          • memory/3312-134-0x0000000000400000-0x0000000000C93000-memory.dmp
            Filesize

            8.6MB

            Download
          • memory/3312-133-0x00000000014A0000-0x000000000187F000-memory.dmp
            Filesize

            3.9MB

            Download
          • memory/3472-172-0x0000000000000000-mapping.dmp
            Download
          • memory/4796-171-0x0000000000000000-mapping.dmp
            Download
          • memory/4896-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4896-152-0x0000000002960000-0x0000000002FC2000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/4896-148-0x0000000002960000-0x0000000002FC2000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/4896-147-0x0000000002960000-0x0000000002FC2000-memory.dmp
            Filesize

            6.4MB

            Download
          • memory/4896-145-0x0000000002250000-0x000000000261E000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/4948-169-0x0000000000000000-mapping.dmp
            Download