Overview
overview
10Static
static
10The-MALWAR...ot.exe
windows11-21h2-x64
3The-MALWAR...ll.exe
windows11-21h2-x64
10The-MALWAR...BS.exe
windows11-21h2-x64
10The-MALWAR...in.exe
windows11-21h2-x64
7The-MALWAR....A.exe
windows11-21h2-x64
1The-MALWAR....A.exe
windows11-21h2-x64
10The-MALWAR....A.dll
windows11-21h2-x64
6The-MALWAR...r.xlsm
windows11-21h2-x64
10The-MALWAR...36c859
windows11-21h2-x64
1The-MALWAR...caa742
windows11-21h2-x64
1The-MALWAR...c1a732
windows11-21h2-x64
1The-MALWAR...57c046
windows11-21h2-x64
1The-MALWAR...4cde86
windows11-21h2-x64
1The-MALWAR...460a01
windows11-21h2-x64
1The-MALWAR...ece0c5
windows11-21h2-x64
1The-MALWAR...257619
windows11-21h2-x64
1The-MALWAR...fbcc59
windows11-21h2-x64
1The-MALWAR...54f69c
windows11-21h2-x64
1The-MALWAR...d539a6
windows11-21h2-x64
1The-MALWAR...4996dd
windows11-21h2-x64
1The-MALWAR...8232d5
windows11-21h2-x64
1The-MALWAR...66b948
windows11-21h2-x64
1The-MALWAR...f9db86
windows11-21h2-x64
1The-MALWAR...ea2485
windows11-21h2-x64
1The-MALWAR...us.exe
windows11-21h2-x64
6The-MALWAR....a.exe
windows11-21h2-x64
1The-MALWAR....a.exe
windows11-21h2-x64
7The-MALWAR...ok.exe
windows11-21h2-x64
1The-MALWAR...y.html
windows11-21h2-x64
1The-MALWAR...ft.exe
windows11-21h2-x64
4The-MALWAR...en.exe
windows11-21h2-x64
6The-MALWAR...min.js
windows11-21h2-x64
1Analysis
-
max time kernel
1396s -
max time network
1173s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-12-2023 17:56
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win11-20231128-en
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win11-20231128-en
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win11-20231128-en
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win11-20231129-en
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win11-20231129-en
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win11-20231129-en
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Resource
win11-20231128-en
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm
Resource
win11-20231128-en
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
Resource
win11-20231128-en
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
Resource
win11-20231128-en
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
Resource
win11-20231128-en
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Resource
win11-20231129-en
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
Resource
win11-20231129-en
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
Resource
win11-20231129-en
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
Resource
win11-20231129-en
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
Resource
win11-20231129-en
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
Resource
win11-20231128-en
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
Resource
win11-20231128-en
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
Resource
win11-20231129-en
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
Resource
win11-20231128-en
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
Resource
win11-20231128-en
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
Resource
win11-20231128-en
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
Resource
win11-20231129-en
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485
Resource
win11-20231129-en
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win11-20231129-en
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win11-20231128-en
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win11-20231129-en
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win11-20231129-en
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Email-Worm/BubbleBoy.html
Resource
win11-20231129-en
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win11-20231129-en
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win11-20231129-en
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win11-20231128-en
General
-
Target
The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm
-
Size
93KB
-
MD5
b36a0543b28f4ad61d0f64b729b2511b
-
SHA1
bf62dc338b1dd50a3f7410371bc3f2206350ebea
-
SHA256
90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c
-
SHA512
cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037
-
SSDEEP
1536:0sqG3SkDNIVXnR8TeYSSkCXgN+Uu+j6XJaRqWD/0ACKNONUhfy:0sNrxWXnCjiubXKD/EQA
Malware Config
Extracted
https://erpoweredent.at/3/zte.dll
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4396 3608 DW20.EXE 78 -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3608 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3608 EXCEL.EXE 3608 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE 3608 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3608 wrote to memory of 4396 3608 EXCEL.EXE 83 PID 3608 wrote to memory of 4396 3608 EXCEL.EXE 83 PID 4396 wrote to memory of 4736 4396 DW20.EXE 85 PID 4396 wrote to memory of 4736 4396 DW20.EXE 85
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44002⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44003⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4736
-
-