Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
18-12-2022 19:11
General
-
Target
a2bc5c94f2d768187205178c2d089bf21542c72ca3910d43d5fb796cf0aa08a2.exe
-
Size
214KB
-
MD5
c05d11bf62a4af347ba8caca87eb6b7f
-
SHA1
7c568736f6b62941305b436e803db675e5af1a96
-
SHA256
a2bc5c94f2d768187205178c2d089bf21542c72ca3910d43d5fb796cf0aa08a2
-
SHA512
d8ac0cb6c49a1292c65e9dc2da9e3b7d29d81409b6e4a105cfe650d4b504af244b7ef01432a9aba8c5cd1de0ea983122302b37d7e639727e72ebc589a31ee021
-
SSDEEP
3072:HXUZPFLLQDB7vRwwVPvUTM6Ef81sV2Zx5fxSsa5RwuNRAtOba+4LtlPnZjcbImdl:3U5FLLkB2gFXgfxY5R30TPnZjcbXF
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
A74585CDE58066055FE7DCD4BF3B5A4C
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2bc5c94f2d768187205178c2d089bf21542c72ca3910d43d5fb796cf0aa08a2.exe"C:\Users\Admin\AppData\Local\Temp\a2bc5c94f2d768187205178c2d089bf21542c72ca3910d43d5fb796cf0aa08a2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E767.exeC:\Users\Admin\AppData\Local\Temp\E767.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 202033⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 5082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 888 -ip 8881⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5a0db2d56d4a7fc534ebeb6ef7e28e55f
SHA1075c302586e8a722279b991e416cf55b454429e6
SHA256055d30d41fd0a64a382323de3e938a4cb36db2889a444167563c7b8af3745a15
SHA51264877f1290e159175f1ce0aa4c831318dbdefbf5a73dce1973f27bc04aa6ed7f97427b60883c1430bbcf9cb8bba13b20a2875001536bf7d16534611953b76860
-
Filesize
2.4MB
MD5a0db2d56d4a7fc534ebeb6ef7e28e55f
SHA1075c302586e8a722279b991e416cf55b454429e6
SHA256055d30d41fd0a64a382323de3e938a4cb36db2889a444167563c7b8af3745a15
SHA51264877f1290e159175f1ce0aa4c831318dbdefbf5a73dce1973f27bc04aa6ed7f97427b60883c1430bbcf9cb8bba13b20a2875001536bf7d16534611953b76860
-
Filesize
2.4MB
MD5a9810cf4aa2f4ec34061791b9a293777
SHA16533e7dd22a911ae1769f3dbbaa93ae730faefa3
SHA2569f28e3691640498fb92e00574bb35bcda89ed45badf5a2ff9b38fe8a88a5f2c5
SHA512a7b5ed6028db230f33b81aa352beaeb384e43d833e3a033900f928532f0de996a5f299b17f9ff0d0b489214359d9319fc48040050aa8fe0b49ee1a90e9723558
-
Filesize
2.4MB
MD5a9810cf4aa2f4ec34061791b9a293777
SHA16533e7dd22a911ae1769f3dbbaa93ae730faefa3
SHA2569f28e3691640498fb92e00574bb35bcda89ed45badf5a2ff9b38fe8a88a5f2c5
SHA512a7b5ed6028db230f33b81aa352beaeb384e43d833e3a033900f928532f0de996a5f299b17f9ff0d0b489214359d9319fc48040050aa8fe0b49ee1a90e9723558
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.3MB
-
Filesize
3.5MB
-
Filesize
3.6MB
-
Filesize
3.5MB
-
Filesize
3.6MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.4MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.4MB
-
Filesize
7.1MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.1MB
-
Filesize
2.2MB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
380KB
-
Filesize
380KB