Overview

overview

10

Static

static

1

wallpaper (1).jpg

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wallpaper (1).jpg

  • Size

    28KB

  • Sample

    240508-vfxmzsgf96

  • MD5

    bdd8868b21390b0f69a5a0dc956a492e

  • SHA1

    c1aab129d3c0f73a143fbbce40de80b12cc4a003

  • SHA256

    4165a8ea1f11af46b2ac475c41bce70b498007c31e366707c81c8890afdd77e4

  • SHA512

    865347cc8637c1282aa737c1012ee05ddd2e50b255b75191f0179f7b28ee04e2fe00320b51f8cb5a9e3de640528531726a296f0b30b16b828451e7d42864362e

  • SSDEEP

    384:glIaWtdyGKa+GorT05y/KVNC1+YwcPPmAJyyZsw4575Dwf9fsdYHl5Bp1GlT7EHj:kInd52yCPPPm97mFkmLp1m7ED

Score
10/10
danabotrevengeratbankerbotnetevasionmacromacro_on_actionpersistencerezer0stealertrojanupx

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      wallpaper (1).jpg

    • Size

      28KB

    • MD5

      bdd8868b21390b0f69a5a0dc956a492e

    • SHA1

      c1aab129d3c0f73a143fbbce40de80b12cc4a003

    • SHA256

      4165a8ea1f11af46b2ac475c41bce70b498007c31e366707c81c8890afdd77e4

    • SHA512

      865347cc8637c1282aa737c1012ee05ddd2e50b255b75191f0179f7b28ee04e2fe00320b51f8cb5a9e3de640528531726a296f0b30b16b828451e7d42864362e

    • SSDEEP

      384:glIaWtdyGKa+GorT05y/KVNC1+YwcPPmAJyyZsw4575Dwf9fsdYHl5Bp1GlT7EHj:kInd52yCPPPm97mFkmLp1m7ED

    Score
    10/10
    danabotrevengeratbankerbotnetevasionmacromacro_on_actionpersistencerezer0stealertrojanupx

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • RevengeRat Executable

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers new Windows logon scripts automatically executed at logon.

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Boot or Logon Initialization Scripts

1
T1037

Logon Script (Windows)

1
T1037.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Boot or Logon Initialization Scripts

1
T1037

Logon Script (Windows)

1
T1037.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

3
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Scripting

1
T1064

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks