Malware Analysis Report

2025-03-15 05:53

Sample ID 240629-lgzdjavcqe
Target BananaBot.exe
SHA256 d420da458ca2f642d7f541219cc71ddea42f236c7889c04de4733f08d9b89170
Tags
spyware stealer vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d420da458ca2f642d7f541219cc71ddea42f236c7889c04de4733f08d9b89170

Threat Level: Shows suspicious behavior

The file BananaBot.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer vmprotect

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 09:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 09:30

Reported

2024-06-29 09:33

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BananaBot.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BananaBot.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Windows\ja-JP\System.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Program Files\Mozilla Firefox\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Windows\ja-JP\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Windows\PLA\Rules\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
File created C:\Windows\PLA\Rules\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\ja-JP\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ja-JP\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\BananaBot.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\BananaBot.exe C:\Windows\system32\cmd.exe
PID 4236 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe
PID 4236 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe
PID 840 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe
PID 840 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe
PID 3184 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe C:\Windows\System32\cmd.exe
PID 3184 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe C:\Windows\System32\cmd.exe
PID 2028 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2028 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2028 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2028 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2028 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\ja-JP\System.exe
PID 2028 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\ja-JP\System.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BananaBot.exe

"C:\Users\Admin\AppData\Local\Temp\BananaBot.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe

cola.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8aTcuQgj5N.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8

C:\Windows\ja-JP\System.exe

"C:\Windows\ja-JP\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 217.28.222.194:80 217.28.222.194 tcp
RU 217.28.222.194:80 217.28.222.194 tcp
US 8.8.8.8:53 194.222.28.217.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 217.28.222.194:80 217.28.222.194 tcp
RU 217.28.222.194:80 217.28.222.194 tcp
RU 217.28.222.194:80 217.28.222.194 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 36e7c1d659e3073dde6db4bfb5eac618
SHA1 b4af6a3a5da137515d2eb2c54131d733dfdf72ab
SHA256 cf765bd3468a6787a00fc1b3a66109980e82c857741345ceab81ddfcbb85bd1a
SHA512 29a4b0a8faf2bdf85f291475b06c1ec7a4dfe805d1ce1bd71f1c3dbf8a7f6323af2e823cf0b51676847603db81b0d6d01d146040fec3c8ed73de29a8046dc181

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe

MD5 cb82a3529a3b74bcbcdc52c92880c2bd
SHA1 c1ab84d9771c26141348e5ce618ba78884e0f47e
SHA256 a954630e294cbeec12bb7e858accc68d6191ce5a004c1c2806f8ffbf246c0dce
SHA512 5403816bfe36f3745ed5c8182aceefc2be7eec86fd64982aa8a3b849b05471da948e26f92441a5e459b3fc09357eb8111fc738109e1e7e9760d48f89271205f1

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe

MD5 95a81dc75ad154ae28b1d52ccb9acb3a
SHA1 f699e7a5b50d012ca7311733d824e801cf6019e5
SHA256 b4c7f2ffe3c274332fc7b4edeb4419d0fb73892a65329444a4abd26b064d08ff
SHA512 30eddb9c5ffbde94dea965cee389a889da2c0c6adc84c29d6415a2f72d31854b8c1e3ff200f609e78659515ce206d3b5318b0f040ce50ee8cea35a24432fee06

memory/3184-22-0x0000000000130000-0x00000000003EC000-memory.dmp

memory/3184-24-0x000000001AF80000-0x000000001AF8E000-memory.dmp

memory/3184-26-0x000000001AFB0000-0x000000001AFCC000-memory.dmp

memory/3184-27-0x000000001B360000-0x000000001B3B0000-memory.dmp

memory/3184-29-0x000000001AFD0000-0x000000001AFE8000-memory.dmp

memory/3184-31-0x000000001AF90000-0x000000001AF9E000-memory.dmp

memory/3184-33-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

memory/3184-35-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

memory/3184-37-0x000000001B000000-0x000000001B00E000-memory.dmp

memory/3184-39-0x000000001B010000-0x000000001B01C000-memory.dmp

memory/3184-55-0x000000001B4B0000-0x000000001B559000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8aTcuQgj5N.bat

MD5 d24d9c72a5eb96afa6a3e08dd5e9a7ed
SHA1 1a5db7852c70995ef11f1572b3fe0284bd8dfa03
SHA256 14e4a52106ef4dee0347bf5cc8dead26021d8180140d506d599c6acea36ae7a1
SHA512 3fb245c830d3abb040c8c7a91aed56ff0f274f5923053a30800a63ab341bcdb381e34f292eab984cf04413c229285b2a1979000d821334a7605a356038000276

memory/2708-68-0x000000001BE30000-0x000000001BED9000-memory.dmp