Play interactive tourEdit tour
Windows Analysis Report Coy2GAiARw
Overview
General Information
Detection
DanaBot
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses Microsoft's Enhanced Cryptographic Provider
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: DanaBot |
---|
{"C2 list": ["192.210.222.88:443", "192.236.147.159:443", "192.119.110.73:443"], "Embedded Hash": "F4711E27D559B4AEB1A081A1EB0AC465"}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DanaBot_stealer_dll_1 | Yara detected DanaBot stealer dll | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected DanaBot stealer dll | Show sources |
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_004F5C80 | |
Source: | Code function: | 0_2_004F0FBC | |
Source: | Code function: | 0_2_004F29AC | |
Source: | Code function: | 0_2_004F6334 | |
Source: | Code function: | 0_2_004F2C93 | |
Source: | Code function: | 0_2_004F2D48 | |
Source: | Code function: | 0_2_004F2F04 | |
Source: | Code function: | 0_2_0086120C | |
Source: | Code function: | 0_2_00865ED0 |
Compliance: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00409568 | |
Source: | Code function: | 0_2_00414924 | |
Source: | Code function: | 0_2_00408F9C | |
Source: | Code function: | 0_2_007791EC | |
Source: | Code function: | 0_2_007797B8 |
Networking: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | Jump to behavior |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | IP Address: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected DanaBot stealer dll | Show sources |
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 0_2_004F0FBC | |
Source: | Code function: | 0_2_0086120C |
Source: | Static PE information: |
Source: | Code function: | 0_2_004F0FBC | |
Source: | Code function: | 0_2_0086120C |
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Virustotal: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: | 0_2_00414A38 |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation: |
---|
Detected unpacking (overwrites its own PE header) | Show sources |
Source: | Unpacked PE file: |
Detected unpacking (changes PE section rights) | Show sources |
Source: | Unpacked PE file: |
Source: | Code function: | 0_2_004FC0D6 | |
Source: | Code function: | 0_2_004FC509 | |
Source: | Code function: | 0_2_0040B183 | |
Source: | Code function: | 0_2_00416C15 | |
Source: | Code function: | 0_2_004F9CCE | |
Source: | Code function: | 0_2_00411554 | |
Source: | Code function: | 0_2_004146D0 | |
Source: | Code function: | 0_2_0086C159 | |
Source: | Code function: | 0_2_00784920 | |
Source: | Code function: | 0_2_0077B3D3 | |
Source: | Code function: | 0_2_0086BD26 | |
Source: | Code function: | 0_2_00786E65 | |
Source: | Code function: | 0_2_00869F1E | |
Source: | Code function: | 0_2_007817A4 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_004EE96C |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 0_2_004EE96C |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Code function: | 0_2_0040AFF4 |
Source: | Code function: | 0_2_00409568 | |
Source: | Code function: | 0_2_00414924 | |
Source: | Code function: | 0_2_00408F9C | |
Source: | Code function: | 0_2_007791EC | |
Source: | Code function: | 0_2_007797B8 |
Source: | Code function: | 0_2_004EE96C |
Source: | Code function: | 0_2_0077092B | |
Source: | Code function: | 0_2_00770D90 |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_004096A0 | |
Source: | Code function: | 0_2_00416278 | |
Source: | Code function: | 0_2_0041622C | |
Source: | Code function: | 0_2_00408B40 | |
Source: | Code function: | 0_2_00419540 | |
Source: | Code function: | 0_2_0041977C | |
Source: | Code function: | 0_2_007798F0 | |
Source: | Code function: | 0_2_007899CC | |
Source: | Code function: | 0_2_007864C8 | |
Source: | Code function: | 0_2_00778D74 | |
Source: | Code function: | 0_2_00778D90 |
Source: | Code function: | 0_2_00404C04 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 0_2_004161DC |
Source: | Code function: | 0_2_0040B008 |
Stealing of Sensitive Information: |
---|
Yara detected DanaBot stealer dll | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected DanaBot stealer dll | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Native API1 | Application Shimming1 | Process Injection12 | Masquerading1 | Input Capture1 | System Time Discovery1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel22 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Data Encrypted for Impact1 |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Application Shimming1 | Process Injection12 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Archive Collected Data11 | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Deobfuscate/Decode Files or Information1 | Security Account Manager | Application Window Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information3 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Rundll321 | LSA Secrets | System Information Discovery26 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing22 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|