Loading ...

Play interactive tourEdit tour

Windows Analysis Report Coy2GAiARw

Overview

General Information

Sample Name:Coy2GAiARw (renamed file extension from none to exe)
Analysis ID:502747
MD5:5ad64bb7be7914ad793ae5ccb98a571e
SHA1:60aeca403754af25ff307050496a70eabe706a8a
SHA256:18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
Tags:32DanaBotexetrojan
Infos:

Most interesting Screenshot:

Detection

DanaBot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • Coy2GAiARw.exe (PID: 6816 cmdline: 'C:\Users\user\Desktop\Coy2GAiARw.exe' MD5: 5AD64BB7BE7914AD793AE5CCB98A571E)
    • rundll32.exe (PID: 6852 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\COY2GA~1.DLL,s C:\Users\user\Desktop\COY2GA~1.EXE MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: DanaBot

{"C2 list": ["192.210.222.88:443", "192.236.147.159:443", "192.119.110.73:443"], "Embedded Hash": "F4711E27D559B4AEB1A081A1EB0AC465"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\COY2GA~1.EXE.dllJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmpJoeSecurity_DanaBot_stealer_dll_1Yara detected DanaBot stealer dllJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmpMalware Configuration Extractor: DanaBot {"C2 list": ["192.210.222.88:443", "192.236.147.159:443", "192.119.110.73:443"], "Embedded Hash": "F4711E27D559B4AEB1A081A1EB0AC465"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Coy2GAiARw.exeVirustotal: Detection: 42%Perma Link
      Yara detected DanaBot stealer dllShow sources
      Source: Yara matchFile source: 00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\Desktop\COY2GA~1.EXE.dll, type: DROPPED
      Machine Learning detection for sampleShow sources
      Source: Coy2GAiARw.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F5C80 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_004F5C80
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F0FBC CryptAcquireContextA,CryptImportKey,CryptAcquireContextA,CryptDecrypt,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_004F0FBC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F29AC CryptDestroyKey,0_2_004F29AC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F6334 CryptReleaseContext,0_2_004F6334
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F2C93 CryptReleaseContext,0_2_004F2C93
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F2D48 CryptDestroyKey,0_2_004F2D48
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F2F04 CryptReleaseContext,0_2_004F2F04
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0086120C CryptAcquireContextA,CryptImportKey,CryptAcquireContextA,CryptDecrypt,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_0086120C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00865ED0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00865ED0

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeUnpacked PE file: 0.2.Coy2GAiARw.exe.400000.0.unpack
      Source: Coy2GAiARw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: Binary string: 9C:\sil-dafunotepon bolinebihaw98\gekib.pdb`0P source: Coy2GAiARw.exe
      Source: Binary string: C:\sil-dafunotepon bolinebihaw98\gekib.pdb source: Coy2GAiARw.exe
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00409568 FindFirstFileW,FindClose,0_2_00409568
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00414924 FindFirstFileW,FindClose,0_2_00414924
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00408F9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00408F9C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_007791EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_007791EC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_007797B8 FindFirstFileW,FindClose,0_2_007797B8

      Networking:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.119.110.73 443Jump to behavior
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 192.210.222.88:443
      Source: Malware configuration extractorURLs: 192.236.147.159:443
      Source: Malware configuration extractorURLs: 192.119.110.73:443
      Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
      Source: Joe Sandbox ViewIP Address: 192.119.110.73 192.119.110.73
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: Coy2GAiARw.exe, 00000000.00000002.316475191.00000000008CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected DanaBot stealer dllShow sources
      Source: Yara matchFile source: 00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\Desktop\COY2GA~1.EXE.dll, type: DROPPED
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F0FBC CryptAcquireContextA,CryptImportKey,CryptAcquireContextA,CryptDecrypt,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_004F0FBC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0086120C CryptAcquireContextA,CryptImportKey,CryptAcquireContextA,CryptDecrypt,CryptImportKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_0086120C
      Source: Coy2GAiARw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F0FBC0_2_004F0FBC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0086120C0_2_0086120C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: String function: 00406CF4 appears 50 times
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: String function: 00776F44 appears 46 times
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: String function: 0040BE8C appears 41 times
      Source: Coy2GAiARw.exe, 00000000.00000003.315793591.0000000002658000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Coy2GAiARw.exe
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Coy2GAiARw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Coy2GAiARw.exeVirustotal: Detection: 42%
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Coy2GAiARw.exe 'C:\Users\user\Desktop\Coy2GAiARw.exe'
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\COY2GA~1.DLL,s C:\Users\user\Desktop\COY2GA~1.EXE
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\COY2GA~1.DLL,s C:\Users\user\Desktop\COY2GA~1.EXEJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeFile created: C:\Users\user\Desktop\COY2GA~1.EXE.dllJump to behavior
      Source: classification engineClassification label: mal96.troj.evad.winEXE@3/1@0/1
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00414A38 GetDiskFreeSpaceW,0_2_00414A38
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\COY2GA~1.DLL,s C:\Users\user\Desktop\COY2GA~1.EXE
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: Coy2GAiARw.exeStatic file information: File size 1159680 > 1048576
      Source: Coy2GAiARw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: 9C:\sil-dafunotepon bolinebihaw98\gekib.pdb`0P source: Coy2GAiARw.exe
      Source: Binary string: C:\sil-dafunotepon bolinebihaw98\gekib.pdb source: Coy2GAiARw.exe

      Data Obfuscation:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeUnpacked PE file: 0.2.Coy2GAiARw.exe.400000.0.unpack
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeUnpacked PE file: 0.2.Coy2GAiARw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.nusavu:ER;.pudipuv:ER;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004FC000 push 004FC0DEh; ret 0_2_004FC0D6
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004FC474 push 004FC511h; ret 0_2_004FC509
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0040B108 push 0040B18Bh; ret 0_2_0040B183
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00416B84 push 00416C1Dh; ret 0_2_00416C15
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004F9C24 push 004F9CD6h; ret 0_2_004F9CCE
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00411524 push 0041155Ch; ret 0_2_00411554
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004146CC push ecx; mov dword ptr [esp], ecx0_2_004146D0
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0086C0C4 push 004FC511h; ret 0_2_0086C159
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0078491C push ecx; mov dword ptr [esp], ecx0_2_00784920
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0077B358 push 0040B18Bh; ret 0_2_0077B3D3
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0086BC50 push 004FC0DEh; ret 0_2_0086BD26
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00786DD4 push 00416C1Dh; ret 0_2_00786E65
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00869E74 push 004F9CD6h; ret 0_2_00869F1E
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00781774 push 0041155Ch; ret 0_2_007817A4
      Source: Coy2GAiARw.exeStatic PE information: section name: .nusavu
      Source: Coy2GAiARw.exeStatic PE information: section name: .pudipuv
      Source: COY2GA~1.EXE.dll.0.drStatic PE information: section name: .didata
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004EE96C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_004EE96C
      Source: initial sampleStatic PE information: section name: .text entropy: 7.99111772368
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeFile created: C:\Users\user\Desktop\COY2GA~1.EXE.dllJump to dropped file
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004EE96C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_004EE96C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2053Jump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0040AFF4 GetSystemInfo,0_2_0040AFF4
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00409568 FindFirstFileW,FindClose,0_2_00409568
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00414924 FindFirstFileW,FindClose,0_2_00414924
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00408F9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_00408F9C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_007791EC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_007791EC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_007797B8 FindFirstFileW,FindClose,0_2_007797B8
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004EE96C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,0_2_004EE96C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0077092B mov eax, dword ptr fs:[00000030h]0_2_0077092B
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00770D90 mov eax, dword ptr fs:[00000030h]0_2_00770D90

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.119.110.73 443Jump to behavior
      Source: rundll32.exe, 00000004.00000002.822019573.0000000003370000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: rundll32.exe, 00000004.00000002.822019573.0000000003370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: rundll32.exe, 00000004.00000002.822019573.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: rundll32.exe, 00000004.00000002.822019573.0000000003370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_004096A0
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetLocaleInfoW,0_2_00416278
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetLocaleInfoW,0_2_0041622C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00408B40
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetLocaleInfoW,0_2_00419540
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: EnumSystemLocalesW,0_2_0041977C
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_007798F0
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: EnumSystemLocalesW,0_2_007899CC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: GetLocaleInfoW,0_2_007864C8
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00778D74
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00778D90
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_00404C04 cpuid 0_2_00404C04
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_004161DC GetLocalTime,0_2_004161DC
      Source: C:\Users\user\Desktop\Coy2GAiARw.exeCode function: 0_2_0040B008 GetVersion,0_2_0040B008

      Stealing of Sensitive Information:

      barindex
      Yara detected DanaBot stealer dllShow sources
      Source: Yara matchFile source: 00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\Desktop\COY2GA~1.EXE.dll, type: DROPPED

      Remote Access Functionality:

      barindex
      Yara detected DanaBot stealer dllShow sources
      Source: Yara matchFile source: 00000000.00000003.315558430.000000007FD50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\Desktop\COY2GA~1.EXE.dll, type: DROPPED

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Application Shimming1Process Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection12LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Information Discovery26SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing22Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 502747