Overview

overview

10

Static

static

7

GWBI7H74fh...SR.exe

windows7-x64

10

GWBI7H74fh...SR.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GWBI7H74fhGgtebteb5GSR.exe

  • Size

    6.1MB

  • MD5

    337d48261da1a0b48edd2c66991d1ac2

  • SHA1

    b04bef931efdc0ff889d84461ad97dac48fee4fc

  • SHA256

    5225d9f8fde5e11240a7035a6988b7ee3ffca419eea8ca473e845ba0502bad3b

  • SHA512

    aeb55d66a63fc57c04644c8ff33fe640ebe4ed9245677b653c2319bd1d94de86e3623d742591301f0ba712614dd1ac42a6a238360c94b36f56e981d4821ed59a

  • SSDEEP

    196608:rKppFEfoHJbI9Q0mOOZJYi3SGilZfjadonLE:rK7FtbIfQD9MfGdonL

Score
10/10
danabotbankercollectiondiscoveryspywarestealertrojanupx

Malware Config

Extracted

Family

danabot

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GWBI7H74fhGgtebteb5GSR.exe
    "C:\Users\Admin\AppData\Local\Temp\GWBI7H74fhGgtebteb5GSR.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 C:\Users\Admin\AppData\Local\Temp\GWBI7H74fhGgtebteb5GSR.exe
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • outlook_office_path
      • outlook_win_path
      PID:3108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Hfeuith
    Filesize

    46KB

    MD5

    b13fcb3223116f6eec60be9143cae98b

    SHA1

    9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

    SHA256

    961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

    SHA512

    89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

    Download Submit

  • memory/3108-33-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-66-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-70-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3108-31-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-34-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-22-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3108-30-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-32-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-29-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3108-27-0x0000011FBDD50000-0x0000011FBDE90000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3108-25-0x00007FFB6C960000-0x00007FFB6C961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3108-26-0x0000011FBDD50000-0x0000011FBDE90000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3108-28-0x0000011FBBBD0000-0x0000011FBC534000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/5036-16-0x0000000003D50000-0x00000000046B4000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/5036-0-0x0000000000400000-0x0000000001741000-memory.dmp

    Filesize

    19.3MB

    Download

  • memory/5036-12-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-11-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-10-0x00007FFB6E260000-0x00007FFB6E261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-17-0x00007FFB6ED70000-0x00007FFB6ED71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-9-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-8-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-7-0x00007FFB6D180000-0x00007FFB6D181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-18-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-21-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5036-20-0x00007FFB6EC0D000-0x00007FFB6EC0E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-19-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-13-0x00007FFB6E270000-0x00007FFB6E271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5036-15-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-14-0x00000000047C0000-0x0000000004900000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5036-5-0x0000000063080000-0x0000000063301000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/5036-6-0x000000006E400000-0x000000006E49E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/5036-3-0x0000000063080000-0x0000000063301000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/5036-4-0x000000006E400000-0x000000006E49E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/5036-50-0x0000000003D50000-0x00000000046B4000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/5036-52-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5036-51-0x0000000000400000-0x0000000001741000-memory.dmp

    Filesize

    19.3MB

    Download

  • memory/5036-2-0x0000000003D50000-0x00000000046B4000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/5036-1-0x0000000003D50000-0x00000000046B4000-memory.dmp

    Filesize

    9.4MB

    Download