Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gfehgfwveg.exe

Overview

General Information

Sample name:gfehgfwveg.exe
Analysis ID:1580519
MD5:43ec2649e1b173b6e8b3800e18cceeb4
SHA1:e864b2d11a7c9c7497b22af930b31db1e2061244
SHA256:4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
Tags:exeuser-SquiblydooBlog
Infos:

Detection

DanaBot
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Abnormal high CPU Usage
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • gfehgfwveg.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\gfehgfwveg.exe" MD5: 43EC2649E1B173B6E8B3800E18CCEEB4)
    • cmd.exe (PID: 940 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 1532 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    Process Memory Space: gfehgfwveg.exe PID: 6464JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: gfehgfwveg.exe PID: 6464JoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-24T20:49:57.437474+010020344651Malware Command and Control Activity Detected192.168.2.54980034.34.145.103443TCP
        2024-12-24T20:49:58.536827+010020344651Malware Command and Control Activity Detected192.168.2.54980334.169.99.17443TCP
        2024-12-24T20:49:59.665387+010020344651Malware Command and Control Activity Detected192.168.2.54980434.83.67.185443TCP
        2024-12-24T20:50:00.749409+010020344651Malware Command and Control Activity Detected192.168.2.54981035.195.45.98443TCP
        2024-12-24T20:50:08.252668+010020344651Malware Command and Control Activity Detected192.168.2.54983034.34.145.103443TCP
        2024-12-24T20:50:09.525522+010020344651Malware Command and Control Activity Detected192.168.2.54983434.169.99.17443TCP
        2024-12-24T20:50:10.603924+010020344651Malware Command and Control Activity Detected192.168.2.54983734.83.67.185443TCP
        2024-12-24T20:50:11.730286+010020344651Malware Command and Control Activity Detected192.168.2.54984135.195.45.98443TCP
        2024-12-24T20:50:17.308243+010020344651Malware Command and Control Activity Detected192.168.2.54985834.34.145.103443TCP
        2024-12-24T20:50:17.396534+010020344651Malware Command and Control Activity Detected192.168.2.54985934.169.99.17443TCP
        2024-12-24T20:50:17.477840+010020344651Malware Command and Control Activity Detected192.168.2.54986034.83.67.185443TCP
        2024-12-24T20:50:17.587969+010020344651Malware Command and Control Activity Detected192.168.2.54986135.195.45.98443TCP
        2024-12-24T20:50:26.896409+010020344651Malware Command and Control Activity Detected192.168.2.54988634.34.145.103443TCP
        2024-12-24T20:50:28.769519+010020344651Malware Command and Control Activity Detected192.168.2.54989034.169.99.17443TCP
        2024-12-24T20:50:30.353915+010020344651Malware Command and Control Activity Detected192.168.2.54989634.83.67.185443TCP
        2024-12-24T20:50:32.149921+010020344651Malware Command and Control Activity Detected192.168.2.54989935.195.45.98443TCP
        2024-12-24T20:50:35.421217+010020344651Malware Command and Control Activity Detected192.168.2.54991234.34.145.103443TCP
        2024-12-24T20:50:37.234985+010020344651Malware Command and Control Activity Detected192.168.2.54991834.169.99.17443TCP
        2024-12-24T20:50:38.845690+010020344651Malware Command and Control Activity Detected192.168.2.54992134.83.67.185443TCP
        2024-12-24T20:50:40.365380+010020344651Malware Command and Control Activity Detected192.168.2.54992735.195.45.98443TCP
        2024-12-24T20:50:49.840728+010020344651Malware Command and Control Activity Detected192.168.2.54995234.34.145.103443TCP
        2024-12-24T20:50:49.950089+010020344651Malware Command and Control Activity Detected192.168.2.54995534.169.99.17443TCP
        2024-12-24T20:50:50.101927+010020344651Malware Command and Control Activity Detected192.168.2.54995634.83.67.185443TCP
        2024-12-24T20:50:50.286070+010020344651Malware Command and Control Activity Detected192.168.2.54995735.195.45.98443TCP
        2024-12-24T20:51:01.351951+010020344651Malware Command and Control Activity Detected192.168.2.54998334.34.145.103443TCP
        2024-12-24T20:51:03.495105+010020344651Malware Command and Control Activity Detected192.168.2.54998834.169.99.17443TCP
        2024-12-24T20:51:04.974891+010020344651Malware Command and Control Activity Detected192.168.2.54999134.83.67.185443TCP
        2024-12-24T20:51:07.388822+010020344651Malware Command and Control Activity Detected192.168.2.54999835.195.45.98443TCP
        2024-12-24T20:51:10.773407+010020344651Malware Command and Control Activity Detected192.168.2.55001134.34.145.103443TCP
        2024-12-24T20:51:13.480850+010020344651Malware Command and Control Activity Detected192.168.2.55001834.169.99.17443TCP
        2024-12-24T20:51:16.231070+010020344651Malware Command and Control Activity Detected192.168.2.55002334.83.67.185443TCP
        2024-12-24T20:51:17.843648+010020344651Malware Command and Control Activity Detected192.168.2.55002835.195.45.98443TCP
        2024-12-24T20:51:30.006700+010020344651Malware Command and Control Activity Detected192.168.2.55004434.34.145.103443TCP
        2024-12-24T20:51:30.084499+010020344651Malware Command and Control Activity Detected192.168.2.55004534.169.99.17443TCP
        2024-12-24T20:51:30.147283+010020344651Malware Command and Control Activity Detected192.168.2.55004634.83.67.185443TCP
        2024-12-24T20:51:30.274087+010020344651Malware Command and Control Activity Detected192.168.2.55004735.195.45.98443TCP
        2024-12-24T20:51:42.384115+010020344651Malware Command and Control Activity Detected192.168.2.55005234.34.145.103443TCP
        2024-12-24T20:51:45.127272+010020344651Malware Command and Control Activity Detected192.168.2.55005334.169.99.17443TCP
        2024-12-24T20:51:47.363251+010020344651Malware Command and Control Activity Detected192.168.2.55005434.83.67.185443TCP
        2024-12-24T20:51:49.543295+010020344651Malware Command and Control Activity Detected192.168.2.55005535.195.45.98443TCP
        2024-12-24T20:51:53.492437+010020344651Malware Command and Control Activity Detected192.168.2.55006034.34.145.103443TCP
        2024-12-24T20:51:56.140020+010020344651Malware Command and Control Activity Detected192.168.2.55006134.169.99.17443TCP
        2024-12-24T20:51:58.720024+010020344651Malware Command and Control Activity Detected192.168.2.55006234.83.67.185443TCP
        2024-12-24T20:52:00.858456+010020344651Malware Command and Control Activity Detected192.168.2.55006335.195.45.98443TCP
        2024-12-24T20:52:14.200139+010020344651Malware Command and Control Activity Detected192.168.2.55006834.34.145.103443TCP
        2024-12-24T20:52:14.310341+010020344651Malware Command and Control Activity Detected192.168.2.55006934.169.99.17443TCP
        2024-12-24T20:52:14.394340+010020344651Malware Command and Control Activity Detected192.168.2.55007034.83.67.185443TCP
        2024-12-24T20:52:14.471379+010020344651Malware Command and Control Activity Detected192.168.2.55007135.195.45.98443TCP
        2024-12-24T20:52:26.921628+010020344651Malware Command and Control Activity Detected192.168.2.55007634.34.145.103443TCP
        2024-12-24T20:52:29.172493+010020344651Malware Command and Control Activity Detected192.168.2.55007734.169.99.17443TCP
        2024-12-24T20:52:31.469787+010020344651Malware Command and Control Activity Detected192.168.2.55007834.83.67.185443TCP
        2024-12-24T20:52:33.819170+010020344651Malware Command and Control Activity Detected192.168.2.55007935.195.45.98443TCP
        2024-12-24T20:52:39.115081+010020344651Malware Command and Control Activity Detected192.168.2.55008434.34.145.103443TCP
        2024-12-24T20:52:41.407909+010020344651Malware Command and Control Activity Detected192.168.2.55008534.169.99.17443TCP
        2024-12-24T20:52:43.802047+010020344651Malware Command and Control Activity Detected192.168.2.55008634.83.67.185443TCP
        2024-12-24T20:52:45.270054+010020344651Malware Command and Control Activity Detected192.168.2.55008735.195.45.98443TCP
        2024-12-24T20:52:50.668751+010020344651Malware Command and Control Activity Detected192.168.2.55009234.34.145.103443TCP
        2024-12-24T20:52:50.725016+010020344651Malware Command and Control Activity Detected192.168.2.55009334.169.99.17443TCP
        2024-12-24T20:52:50.800171+010020344651Malware Command and Control Activity Detected192.168.2.55009434.83.67.185443TCP
        2024-12-24T20:52:50.851757+010020344651Malware Command and Control Activity Detected192.168.2.55009535.195.45.98443TCP
        2024-12-24T20:52:58.374899+010020344651Malware Command and Control Activity Detected192.168.2.55010034.34.145.103443TCP
        2024-12-24T20:52:59.434077+010020344651Malware Command and Control Activity Detected192.168.2.55010134.169.99.17443TCP
        2024-12-24T20:53:00.520563+010020344651Malware Command and Control Activity Detected192.168.2.55010234.83.67.185443TCP
        2024-12-24T20:53:01.628273+010020344651Malware Command and Control Activity Detected192.168.2.55010335.195.45.98443TCP
        2024-12-24T20:53:03.916416+010020344651Malware Command and Control Activity Detected192.168.2.55010834.34.145.103443TCP
        2024-12-24T20:53:04.997393+010020344651Malware Command and Control Activity Detected192.168.2.55010934.169.99.17443TCP
        2024-12-24T20:53:06.099941+010020344651Malware Command and Control Activity Detected192.168.2.55011034.83.67.185443TCP
        2024-12-24T20:53:07.154378+010020344651Malware Command and Control Activity Detected192.168.2.55011135.195.45.98443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: gfehgfwveg.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: gfehgfwveg.exeReversingLabs: Detection: 55%
        Yara detected DanaBot stealer dll
        Source: Yara matchFile source: 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 6464, type: MEMORYSTR
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
        Machine Learning detection for sample
        Source: gfehgfwveg.exeJoe Sandbox ML: detected
        Source: gfehgfwveg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppDataJump to behavior

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49800 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49803 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49804 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49834 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49810 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49830 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49841 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49859 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49861 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49837 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49858 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49886 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49890 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49896 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49860 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49899 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49912 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49918 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49921 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49927 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49955 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49952 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49957 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49956 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49983 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49988 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49991 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49998 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50011 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50018 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50023 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50028 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50044 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50045 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50046 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50047 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50053 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50052 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50054 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50055 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50060 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50062 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50063 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50061 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50069 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50070 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50071 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50076 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50077 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50068 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50079 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50086 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50078 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50085 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50084 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50087 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50092 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50093 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50095 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50100 -> 34.34.145.103:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50101 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50102 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50103 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50094 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50109 -> 34.169.99.17:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50110 -> 34.83.67.185:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50111 -> 35.195.45.98:443
        Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:50108 -> 34.34.145.103:443
        Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
        Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
        Source: gfehgfwveg.exe, 00000000.00000003.2097989940.000000007EB44000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2099321079.000000007EB1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
        Source: gfehgfwveg.exe, 00000000.00000003.2097140713.000000007ECF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
        Source: gfehgfwveg.exe, 00000000.00000003.2097140713.000000007ECF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
        Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
        Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
        Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
        Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
        Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
        Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
        Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
        Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
        Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50070
        Source: unknownNetwork traffic detected: HTTP traffic on port 50107 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
        Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
        Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
        Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
        Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
        Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
        Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
        Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
        Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
        Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
        Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
        Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
        Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
        Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
        Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
        Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
        Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
        Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
        Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
        Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
        Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
        Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
        Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50110 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
        Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50104 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
        Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
        Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
        Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
        Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50106
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50105
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50108
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50107
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50109
        Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
        Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50102
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50101
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50104
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50103
        Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50111
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50110
        Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
        Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
        Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
        Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50098
        Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50097
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
        Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
        Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
        Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
        Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
        Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
        Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
        Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
        Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50101 -> 443

        E-Banking Fraud

        barindex
        Yara detected DanaBot stealer dll
        Source: Yara matchFile source: 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 6464, type: MEMORYSTR
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess Stats: CPU usage > 49%
        Source: gfehgfwveg.exeStatic PE information: Number of sections : 11 > 10
        Source: gfehgfwveg.exe, 00000000.00000003.2097989940.000000007EB44000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs gfehgfwveg.exe
        Source: gfehgfwveg.exe, 00000000.00000003.2099321079.000000007EB1A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs gfehgfwveg.exe
        Source: gfehgfwveg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: classification engineClassification label: mal92.troj.evad.winEXE@6/0@0/4
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: gfehgfwveg.exe, 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: gfehgfwveg.exeReversingLabs: Detection: 55%
        Source: unknownProcess created: C:\Users\user\Desktop\gfehgfwveg.exe "C:\Users\user\Desktop\gfehgfwveg.exe"
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mmdevapi.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: ksuser.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: avrt.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: audioses.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: midimap.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: avifil32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: pstorec.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: gfehgfwveg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: gfehgfwveg.exeStatic file information: File size 4276224 > 1048576
        Source: gfehgfwveg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3ec600
        Source: gfehgfwveg.exeStatic PE information: section name: .didata

        Hooking and other Techniques for Hiding and Protection

        barindex
        May use the Tor software to hide its network traffic
        Source: gfehgfwveg.exe, 00000000.00000003.2093905422.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
        Source: C:\Users\user\Desktop\gfehgfwveg.exeWindow / User API: threadDelayed 9960Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: gfehgfwveg.exe, 00000000.00000003.2100996287.00000000008B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
        Source: gfehgfwveg.exe, 00000000.00000003.2100996287.00000000008B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\Y
        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Found potential dummy code loops (likely to delay analysis)
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess Stats: CPU usage > 42% for more than 60s
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
        Source: gfehgfwveg.exe, 00000000.00000003.2093905422.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
        Source: gfehgfwveg.exe, 00000000.00000003.2093905422.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected DanaBot stealer dll
        Source: Yara matchFile source: 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 6464, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 6464, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected DanaBot stealer dll
        Source: Yara matchFile source: 00000000.00000003.2094443248.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 6464, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		12
        Process Injection        		21
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote ServicesData from Local System2
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		12
        Process Injection        		LSASS Memory21
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Multi-hop Proxy        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        DLL Side-Loading        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
        Process Discovery        		Distributed Component Object ModelInput Capture1
        Proxy        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
        System Owner/User Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
        File and Directory Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem142
        System Information Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.