Loading... Additional Content is being loaded
Windows
Analysis Report
AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi
Overview
General Information
| Sample name: | AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi |
| Analysis ID: | 1432009 |
| MD5: | 3f79740f726f7d412336fafc9feba28f |
| SHA1: | f5580579105ac3dde64bd65fd1371fa8c5313e70 |
| SHA256: | a4781c64764c1c030790269eae5f56e6a56edaac3f548db5caeb46b65acc6735 |
| Infos: |   |
 |
|
Detection
DanaBot
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Yara detected DanaBot stealer dll
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Registers a new ROOT certificate
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DanaBot | Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. |
|
|
AV Detection |
  |
|---|
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Code function: |
19_2_6CC70CCC | |
| Source: |
Code function: |
19_2_6CCAACD9 | |
| Source: |
Code function: |
19_2_6CC78CD9 | |
| Source: |
Code function: |
19_2_6CC92CE7 | |
| Source: |
Code function: |
19_2_6CCA8C87 | |
| Source: |
Code function: |
19_2_6CC78C88 | |
| Source: |
Code function: |
19_2_6CC70C98 | |
| Source: |
Code function: |
19_2_6CC9ACA8 | |
| Source: |
Code function: |
19_2_6CC64CA0 | |
| Source: |
Code function: |
19_2_6CC72C49 | |
| Source: |
Code function: |
19_2_6CC72C67 | |
| Source: |
Code function: |
19_2_6CC7CC70 | |
| Source: |
Code function: |
19_2_6CC92C74 | |
| Source: |
Code function: |
19_2_6CC7CC11 | |
| Source: |
Code function: |
19_2_6CC80C13 | |
| Source: |
Code function: |
19_2_6CCACDC3 | |
| Source: |
Code function: |
19_2_6CC98DC7 | |
| Source: |
Code function: |
19_2_6CC78DE0 | |
| Source: |
Code function: |
19_2_6CCB4DE0 | |
| Source: |
Code function: |
19_2_6CCA8DF9 | |
| Source: |
Code function: |
19_2_6CC64DF0 | |
| Source: |
Code function: |
19_2_6CCB0DF0 | |
| Source: |
Code function: |
19_2_6CC92D8C | |
| Source: |
Code function: |
19_2_6CC82D90 | |
| Source: |
Code function: |
19_2_6CCACD90 | |
| Source: |
Code function: |
19_2_6CC92D40 | |
| Source: |
Code function: |
19_2_6CC88D53 | |
| Source: |
Code function: |
19_2_6CC80D70 | |
| Source: |
Code function: |
19_2_6CC98EC9 | |
| Source: |
Code function: |
19_2_6CC84EDB | |
| Source: |
Code function: |
19_2_6CC64ED0 | |
| Source: |
Code function: |
19_2_6CCB4EF0 | |
| Source: |
Code function: |
19_2_6CC8AE97 | |
| Source: |
Code function: |
19_2_6CC94EA0 | |
| Source: |
Code function: |
19_2_6CCA4EA0 | |
| Source: |
Code function: |
19_2_6CCA0E62 | |
| Source: |
Code function: |
19_2_6CC8AE70 | |
| Source: |
Code function: |
19_2_6CC66E36 | |
| Source: |
Code function: |
19_2_6CC92E35 | |
| Source: |
Code function: |
19_2_6CC9EFC0 | |
| Source: |
Code function: |
19_2_6CC64FD0 | |
| Source: |
Code function: |
19_2_6CC76FE9 | |
| Source: |
Code function: |
19_2_6CC72FF0 | |
| Source: |
Code function: |
19_2_6CC90FF7 | |
| Source: |
Code function: |
19_2_6CC88F80 | |
| Source: |
Code function: |
19_2_6CC8AF81 | |
| Source: |
Code function: |
19_2_6CC8AFB9 | |
| Source: |
Code function: |
19_2_6CC8EFB0 | |
| Source: |
Code function: |
19_2_6CC98F60 | |
| Source: |
Code function: |
19_2_6CC6CF70 | |
| Source: |
Code function: |
19_2_6CC64F7C | |
| Source: |
Code function: |
19_2_6CC76F00 | |
| Source: |
Code function: |
19_2_6CC768C4 | |
| Source: |
Code function: |
19_2_6CCB08E0 | |
| Source: |
Code function: |
19_2_6CC668A0 | |
| Source: |
Code function: |
19_2_6CCA08A3 | |
| Source: |
Code function: |
19_2_6CCAA8A0 | |
| Source: |
Code function: |
19_2_6CC80864 | |
| Source: |
Code function: |
19_2_6CC76813 | |
| Source: |
Code function: |
19_2_6CC669C3 | |
| Source: |
Code function: |
19_2_6CC729E0 | |
| Source: |
Code function: |
19_2_6CC789EC | |
| Source: |
Code function: |
19_2_6CC7C986 | |
| Source: |
Code function: |
19_2_6CCA89A1 | |
| Source: |
Code function: |
19_2_6CCA69B5 | |
| Source: |
Code function: |
19_2_6CC9C976 | |
| Source: |
Code function: |
19_2_6CC64900 | |
| Source: |
Code function: |
19_2_6CC8A900 | |
| Source: |
Code function: |
19_2_6CC6A917 | |
| Source: |
Code function: |
19_2_6CCA0911 | |
| Source: |
Code function: |
19_2_6CCAAAFC | |
| Source: |
Code function: |
19_2_6CC9EA89 | |
| Source: |
Code function: |
19_2_6CC78AA4 | |
| Source: |
Code function: |
19_2_6CC64AA9 | |
| Source: |
Code function: |
19_2_6CC8CA4C | |
| Source: |
Code function: |
19_2_6CC70A4C | |
| Source: |
Code function: |
19_2_6CC9CA53 | |
| Source: |
Code function: |
19_2_6CC9CA39 | |
| Source: |
Code function: |
19_2_6CC98BC0 | |
| Source: |
Code function: |
19_2_6CC72BEC | |
| Source: |
Code function: |
19_2_6CC72B81 | |
| Source: |
Code function: |
19_2_6CC7CB9B | |
| Source: |
Code function: |
19_2_6CC88BA0 | |
| Source: |
Code function: |
19_2_6CC94BB3 | |
| Source: |
Code function: |
19_2_6CC66B58 | |
| Source: |
Code function: |
19_2_6CC70B60 | |
| Source: |
Code function: |
19_2_6CC92B70 | |
| Source: |
Code function: |
19_2_6CC70B18 | |
| Source: |
Code function: |
19_2_6CC78B36 | |
| Source: |
Code function: |
19_2_6CC70B3A | |
| Source: |
Code function: |
19_2_6CC624C1 | |
| Source: |
Code function: |
19_2_6CC9C4D0 | |
| Source: |
Code function: |
19_2_6CC624F7 | |
| Source: |
Code function: |
19_2_6CC644F0 | |
| Source: |
Code function: |
19_2_6CC8A4F0 | |
| Source: |
Code function: |
19_2_6CC66480 | |
| Source: |
Code function: |
19_2_6CC62493 | |
| Source: |
Code function: |
19_2_6CC664B3 | |
| Source: |
Code function: |
19_2_6CC704B0 | |
| Source: |
Code function: |
19_2_6CC8E4B3 | |
| Source: |
Code function: |
19_2_6CC8044B | |
| Source: |
Code function: |
19_2_6CC78440 | |
| Source: |
Code function: |
19_2_6CC74450 | |
| Source: |
Code function: |
19_2_6CC9E47C | |
| Source: |
Code function: |
19_2_6CC74410 | |
| Source: |
Code function: |
19_2_6CC6A430 | |
| Source: |
Code function: |
19_2_6CC8C5C8 | |
| Source: |
Code function: |
19_2_6CC745E0 | |
| Source: |
Code function: |
19_2_6CC7C5E0 | |
| Source: |
Code function: |
19_2_6CC6A5F7 | |
| Source: |
Code function: |
19_2_6CC7C583 | |
| Source: |
Code function: |
19_2_6CCAE580 | |
| Source: |
Code function: |
19_2_6CCB0550 | |
| Source: |
Code function: |
19_2_6CC6A566 | |
| Source: |
Code function: |
19_2_6CC7850C | |
| Source: |
Code function: |
19_2_6CC70510 | |
| Source: |
Code function: |
19_2_6CC7453B | |
| Source: |
Code function: |
19_2_6CC706C0 | |
| Source: |
Code function: |
19_2_6CC8C6E7 | |
| Source: |
Code function: |
19_2_6CCA6680 | |
| Source: |
Code function: |
19_2_6CC6A690 | |
| Source: |
Code function: |
19_2_6CCB0690 | |
| Source: |
Code function: |
19_2_6CC8C6A1 | |
| Source: |
Code function: |
19_2_6CC80640 | |
| Source: |
Code function: |
19_2_6CC8C650 | |
| Source: |
Code function: |
19_2_6CC80664 | |
| Source: |
Code function: |
19_2_6CC7460B | |
| Source: |
Code function: |
19_2_6CC8C610 | |
| Source: |
Code function: |
19_2_6CC96635 | |
| Source: |
Code function: |
19_2_6CC8C78B | |
| Source: |
Code function: |
19_2_6CC6C794 | |
| Source: |
Code function: |
19_2_6CC6A790 | |
| Source: |
Code function: |
19_2_6CC94751 | |
| Source: |
Code function: |
19_2_6CC66770 | |
| Source: |
Code function: |
19_2_6CC74770 | |
| Source: |
Code function: |
19_2_6CCAE770 | |
| Source: |
Code function: |
19_2_6CC6A700 | |
| Source: |
Code function: |
19_2_6CC6670C | |
| Source: |
Code function: |
19_2_6CCA071C | |
| Source: |
Code function: |
19_2_6CC900C3 | |
| Source: |
Code function: |
19_2_6CC6C0C8 | |
| Source: |
Code function: |
19_2_6CC660F0 | |
| Source: |
Code function: |
19_2_6CC920F3 | |
| Source: |
Code function: |
19_2_6CC8A0A0 | |
| Source: |
Code function: |
19_2_6CC7A0AB | |
| Source: |
Code function: |
19_2_6CCAC048 | |
| Source: |
Code function: |
19_2_6CC74060 | |
| Source: |
Code function: |
19_2_6CC7A007 | |
| Source: |
Code function: |
19_2_6CCA6018 | |
| Source: |
Code function: |
19_2_6CC6A1E0 | |
| Source: |
Code function: |
19_2_6CC661F0 | |
| Source: |
Code function: |
19_2_6CC9C18C | |
| Source: |
Code function: |
19_2_6CC8A144 | |
| Source: |
Code function: |
19_2_6CC6615C | |
| Source: |
Code function: |
19_2_6CC92166 | |
| Source: |
Code function: |
19_2_6CCAC11C | |
| Source: |
Code function: |
19_2_6CC6A2E0 | |
| Source: |
Code function: |
19_2_6CC622F6 | |
| Source: |
Code function: |
19_2_6CC662B4 | |
| Source: |
Code function: |
19_2_6CC8A25C | |
| Source: |
Code function: |
19_2_6CC6625C | |
| Source: |
Code function: |
19_2_6CC7427B | |
| Source: |
Code function: |
19_2_6CC66203 | |
| Source: |
Code function: |
19_2_6CC6A210 | |
| Source: |
Code function: |
19_2_6CC8E210 | |
| Source: |
Code function: |
19_2_6CCA6229 | |
| Source: |
Code function: |
19_2_6CC743E1 | |
| Source: |
Code function: |
19_2_6CCA63F8 | |
| Source: |
Code function: |
19_2_6CC803A9 | |
| Source: |
Code function: |
19_2_6CC74345 | |
| Source: |
Code function: |
19_2_6CC64340 | |
| Source: |
Code function: |
19_2_6CC66350 | |
| Source: |
Code function: |
19_2_6CC7035B | |
| Source: |
Code function: |
19_2_6CC62323 | |
| Source: |
Code function: |
19_2_6CC74328 | |
| Source: |
Code function: |
19_2_6CC8FC84 | |
| Source: |
Code function: |
19_2_6CC7BC94 | |
| Source: |
Code function: |
19_2_6CC83CB8 | |
| Source: |
Code function: |
19_2_6CC7BC50 | |
| Source: |
Code function: |
19_2_6CCA5C66 | |
| Source: |
Code function: |
19_2_6CC89C70 | |
| Source: |
Code function: |
19_2_6CC83C24 | |
| Source: |
Code function: |
19_2_6CCA9D89 | |
| Source: |
Code function: |
19_2_6CC8FDB6 | |
| Source: |
Code function: |
19_2_6CC7BD57 | |
| Source: |
Code function: |
19_2_6CC7BD24 | |
| Source: |
Code function: |
19_2_6CC83D35 | |
| Source: |
Code function: |
19_2_6CC9FE86 | |
| Source: |
Code function: |
19_2_6CC8FEA9 | |
| Source: |
Code function: |
19_2_6CCA5EA3 | |
| Source: |
Code function: |
19_2_6CCA5E5C | |
| Source: |
Code function: |
19_2_6CC77E60 | |
| Source: |
Code function: |
19_2_6CC9FE20 | |
| Source: |
Code function: |
19_2_6CC99FD1 | |
| Source: |
Code function: |
19_2_6CC8FFBB | |
| Source: |
Code function: |
19_2_6CC93F4B | |
| Source: |
Code function: |
19_2_6CC6BF40 | |
| Source: |
Code function: |
19_2_6CCAFF47 | |
| Source: |
Code function: |
19_2_6CCA5F59 | |
| Source: |
Code function: |
19_2_6CC99F60 | |
| Source: |
Code function: |
19_2_6CC9BF37 | |
| Source: |
Code function: |
19_2_6CCA58C5 | |
| Source: |
Code function: |
19_2_6CC658D0 | |
| Source: |
Code function: |
19_2_6CCA18E7 | |
| Source: |
Code function: |
19_2_6CC938F9 | |
| Source: |
Code function: |
19_2_6CC918F3 | |
| Source: |
Code function: |
19_2_6CC7D883 | |
| Source: |
Code function: |
19_2_6CC81886 | |
| Source: |
Code function: |
19_2_6CC9B890 | |
| Source: |
Code function: |
19_2_6CC89850 | |
| Source: |
Code function: |
19_2_6CC65860 | |
| Source: |
Code function: |
19_2_6CC99864 | |
| Source: |
Code function: |
19_2_6CC7F820 | |
| Source: |
Code function: |
19_2_6CC7B833 | |
| Source: |
Code function: |
19_2_6CC65830 | |
| Source: |
Code function: |
19_2_6CC6F9C0 | |
| Source: |
Code function: |
19_2_6CC899F1 | |
| Source: |
Code function: |
19_2_6CC89999 | |
| Source: |
Code function: | ||