Edit tour

Windows Analysis Report
kde.exe

Overview

General Information

Sample Name:	kde.exe
Analysis ID:	578630
MD5:	2a597d25bbecfca9550df0d6f48bcafb
SHA1:	5aa68ba69c391a3bcc93e88378a4e4818a2a9181
SHA256:	532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
Tags:	exe
Infos:

Detection

DanaBot

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains strange resources

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Classification

Process Tree

System is w10x64

kde.exe (PID: 4768 cmdline: "C:\Users\user\Desktop\kde.exe" MD5: 2A597D25BBECFCA9550DF0D6F48BCAFB)

WerFault.exe (PID: 1880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.kde.exe.400000.0.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.2.kde.exe.400000.0.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.3.kde.exe.4bc0000.0.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.0.kde.exe.400000.1.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.0.kde.exe.400000.2.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.0.kde.exe.400000.2.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.3.kde.exe.4bc0000.0.raw.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
0.0.kde.exe.400000.1.unpack	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: kde.exe

ReversingLabs: Detection: 53%

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Machine Learning detection for sample

Source: kde.exe

Joe Sandbox ML: detected

Source: kde.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\kde.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
Source:	Binary string: lBC:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe

Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040D390 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_00411D32 FindFirstFileW,
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040CDC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,

Source: Amcache.hve.5.dr

String found in binary or memory: http://upx.sf.net

Source: kde.exe, 00000000.00000000.301852075.0000000002E78000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: kde.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: kde.exe, 00000000.00000000.305465579.0000000004E18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs kde.exe
Source: kde.exe, 00000000.00000003.332897633.0000000004E18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs kde.exe

Source: C:\Users\user\Desktop\kde.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388

Source: kde.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kde.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_00615DA0
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040B920

Source: kde.exe

ReversingLabs: Detection: 53%

Source: kde.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kde.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\kde.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\kde.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: unknown	Process created: C:\Users\user\Desktop\kde.exe "C:\Users\user\Desktop\kde.exe"
Source: C:\Users\user\Desktop\kde.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4768

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AD.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.troj.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_00411D8A GetDiskFreeSpaceW,

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: kde.exe

Static file information: File size 1235968 > 1048576

Source: C:\Users\user\Desktop\kde.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: kde.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kde.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kde.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe
Source:	Binary string: lBC:\has\pabatasuge50\jokecu\milonotoli.pdb source: kde.exe

Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F848 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0042081C push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F830 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F83C push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F8D6 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F88E push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F8B4 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F9C8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F9E0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0048B188 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_004879A8 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040F218 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_00407284 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0060AD53 push eax; retn 0000h
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040FF84 push 00410007h; ret
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_048C3557 push 00000000h; iretd
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_04882808 pushad ; iretd

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_0040F008 GetSystemInfo,

Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040D390 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_00411D32 FindFirstFileW,
Source: C:\Users\user\Desktop\kde.exe	Code function: 0_2_0040CDC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_048810A3 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\kde.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\kde.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\kde.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\kde.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\kde.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\kde.exe	Code function: GetLocaleInfoW,

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_00407A14 cpuid

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_0040F01C GetVersion,

Source: C:\Users\user\Desktop\kde.exe

Code function: 0_2_00411DCA GetLocalTime,

Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DanaBot stealer dll

Source: Yara match	File source: 0.2.kde.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kde.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kde.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.kde.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kde.exe	53%	ReversingLabs	Win32.Trojan.Azorult
kde.exe	100%	Joe Sandbox ML

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	578630
Start date:	25.02.2022
Start time:	04:01:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	kde.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84% (good quality ratio 75%) Quality average: 78.2% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 72% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.168.117.173
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: kde.exe

Simulations

Behavior and APIs

Time	Type	Description
04:02:41	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kde.exe_ed834321750559f607ef26d0f78c84fecfbdd8_3266afc3_0761b0bc\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.766489995190086
Encrypted:	false
SSDEEP:	96:MF9F2NSxKbueJTJvhV97Y91pXIQcQ+c63fcE7cw3Y1S+HbHg/8BRTf3Oy1EISWb4:MnsNbXTyHQTfB01bju7/u7snS274ItU
MD5:	B504A0E5BA4C3648778CB5F5A446987D
SHA1:	2E107E0759BE7669EB152933A331AAD34AA09E51
SHA-256:	EAF109DEB7BED7A68113126C9200C99D5C54B09689D51AC1A2DA4CBCBCDF5E17
SHA-512:	E4D84541FCA39BB3319E781D3F1B2C2590216B64938BAB11BE47957ECC7F0F00099DE4F5F23D01BDE39FE3B6733B850777EE2FFADD4B848DE7BF62278076E513
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.0.2.6.4.1.5.8.3.6.5.9.5.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.0.2.6.4.1.6.0.4.5.9.6.5.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.4.4.8.9.c.e.-.1.4.9.b.-.4.0.f.e.-.a.d.9.b.-.1.b.b.0.1.9.a.1.4.2.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.e.3.a.4.0.e.-.d.b.9.2.-.4.3.2.5.-.8.3.4.7.-.9.f.3.3.b.b.5.6.6.4.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.d.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.a.0.-.0.0.0.1.-.0.0.1.c.-.2.2.f.c.-.5.5.8.f.3.f.2.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.e.3.f.b.f.e.b.e.7.5.d.5.4.8.2.3.e.d.d.d.7.a.e.0.4.3.7.0.a.6.f.0.0.0.0.f.f.f.f.!.0.0.0.0.5.a.a.6.8.b.a.6.9.c.3.9.1.a.3.b.c.c.9.3.e.8.8.3.7.8.a.4.e.4.8.1.8.a.2.a.9.1.8.1.!.k.d.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.2././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Feb 25 12:02:38 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	58470
Entropy (8bit):	2.318560026717585
Encrypted:	false
SSDEEP:	384:718fOpfimJOVjucepyH+DaUjPchpGx9SuD1d:7mf0JONeMujPM4xUm
MD5:	C989337E214D9026BFB380D7F9EFA4F9
SHA1:	95B38FB53212A31943B7FE3CBC1F7ED53CBBCB36
SHA-256:	2677337E95A02CB7B5F5E2DB1A6DA99410B3E1D13744982F297E692D84F26B4A
SHA-512:	B75E80D80F27A066CD456D045BF920016371634A73FDC4524736AAEC0DE9EC97B1A8B81D245603BA8E30718F4E294B10515DFA1C11841C777247A76D1251DD26
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......^..b....................................t...@#..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T...........T..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA69C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.6896176509862144
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiejU6IaGKS6YF2SUwCgmfiS5B1dCprc89b4Rrsf+aBm:RrlsNiwU6Iae6Y0SUwCgmfiS5js4RwfC
MD5:	5A91703779555E7BDA1B2E7493AC2FB0
SHA1:	47C2E7581A89201B26F6E5B12DA689A02CC4684C
SHA-256:	A5BF80E412D12495D3BE2BF09F143C5E752AC6FDE543440439A432860F7BDACB
SHA-512:	B7A5BF2BA63E511C3DC200B33E6B919D7B315680B2D08FF7AF691AAAFFC797D7AF0B6AEE2ED151FD195C38D532F20B4116616E8D91D8E89F36B0B63ADF0A6018
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7F4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.419469536377917
Encrypted:	false
SSDEEP:	48:cvIwSD8zsArJgtWI9lxWSC8Bc8fm8M4JkXhxDwwFvx+q8tdtPVgZUW2ZVYydd:uITfAFCgSN3J0TwYxaxVo9sYydd
MD5:	8F4B2B65EA60534050B42307F6EEAAA9
SHA1:	F70CEA732847771465AAA04C5218B54C45A130CF
SHA-256:	3DE319F62760575062A56CF9D70583F574E244907719958030D0DB65BE56FE2B
SHA-512:	CE62994FC342157853628F0122D79C7463C4AEB96BECF4F16D70DA3ADC0C3858823117127CFFC31BE5BB96DD959EC329BF56A7494054F9642DCE6CDF52B56173
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1402393" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.274596008094446
Encrypted:	false
SSDEEP:	12288:1YC4PxHBCmuwj1aT1sYwceCDn4DHiprV1dIS84f/NmKMl1nmubD0D:2C4PxHBCmuwj1ajZ
MD5:	00A78A5AFE0DB01E1C6D7E6AC51E5B74
SHA1:	E16626A217A447B1B3BDBC0D788BB8B41A6D500A
SHA-256:	42440531FA4C8549679B141DC88035F17320503CC2F8ED741A7BDF7652273794
SHA-512:	FAB2BAFFB41612C49D7D02AA1103C08FF2930CE0DE5C2D925AE8E4C2098EC33B42F32B349A200A679FC568AC2114A30C7976FED1F4EBAF03B458342D28D8A1E0
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...?*.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.9795377567477153
Encrypted:	false
SSDEEP:	384:N+HW75Rftx14PJ4XbsBFn07kHPBqXISeq5QMVyiC+/5l4Lk4EZd1DoXzObImQac:uWFRftx1+J4X4BF07QBqXbeq5QMVyiCO
MD5:	C9FA501851BD93D9322BB96A5BBDDB65
SHA1:	9611146D66CCA69CD57844AEE695B1874F00F36D
SHA-256:	6BEFC25A01428E1414A54CAD4F38A65302155C9603ABE57E475F7DE07A630042
SHA-512:	E2B30A91B81C41E1B6321721246797ECDE2AB39C1BB9649A4AF457FD3A5A5F7F0E45098F7E983D6A4EEF760ED138A95A7A6FEDEB8B2E2877C59D05B1D0EA8886
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...?.................................................................................................................................................................................................................................................................................................................................................HvLE.^......Y...........{.l7..Yx...5dc.6.........0................... ..hbin................p.\..,..........nk,..z.?......h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..z.?...... ........................... .......Z.......................Root........lf......Root....nk ..z.?...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

LoadLibraryA, GetComputerNameExA, WriteProfileSectionA, GetNumaProcessorNode, FindFirstVolumeA, SetConsoleCursorInfo, HeapUnlock, FindFirstChangeNotificationA, WaitForSingleObject, GetNamedPipeHandleStateW, FileTimeToDosDateTime, EnumResourceTypesA, EnumResourceNamesW, ExitProcess, TerminateProcess, ActivateActCtx, GetVersionExW, VerifyVersionInfoW, SetConsoleOutputCP, ResetEvent, FindNextFileW, GetCompressedFileSizeA, CopyFileExA, ReadConsoleOutputCharacterA, GetDefaultCommConfigW, VerLanguageNameA, _hread, GetCommConfig, WritePrivateProfileStructA, FreeEnvironmentStringsW, CreateTimerQueue, FindVolumeClose, LeaveCriticalSection, WriteConsoleInputA, CancelWaitableTimer, SetComputerNameExW, FindAtomW, ReleaseMutex, LocalUnlock, CallNamedPipeW, BuildCommDCBAndTimeoutsA, VirtualProtect, LocalAlloc, TlsSetValue, GetCommandLineA, InterlockedIncrement, CopyFileA, AddRefActCtx, OutputDebugStringW, FormatMessageA, GetPriorityClass, WritePrivateProfileStringW, GetSystemDefaultLangID, TerminateThread, GlobalUnfix, HeapValidate, _hwrite, GetWindowsDirectoryA, GetStartupInfoW, CreatePipe, GetCPInfoExW, GetSystemWindowsDirectoryA, GetSystemWow64DirectoryA, GetLastError, GetCalendarInfoW, DebugBreak, GetConsoleCursorInfo, GetTickCount, DeleteVolumeMountPointA, OpenFileMappingW, ContinueDebugEvent, GetSystemWindowsDirectoryW, CopyFileW, SetMailslotInfo, AddConsoleAliasA, GetPrivateProfileIntW, ReadConsoleInputW, OutputDebugStringA, InterlockedDecrement, DefineDosDeviceA, SetVolumeMountPointA, SetThreadAffinityMask, SetConsoleActiveScreenBuffer, SetProcessAffinityMask, EnumResourceNamesA, GetThreadContext, GetLongPathNameW, SetConsoleTextAttribute, LoadLibraryW, EndUpdateResourceW, WaitForDebugEvent, ReadConsoleA, WriteConsoleA, InterlockedFlushSList, WritePrivateProfileSectionA, GetPrivateProfileStructA, DeleteCriticalSection, GetPrivateProfileSectionNamesA, GetDriveTypeW, GetFileAttributesExA, LocalFileTimeToFileTime, GetVolumePathNameA, GetConsoleMode, HeapSetInformation, GetComputerNameA, ProcessIdToSessionId, ReadProcessMemory, MoveFileExW, DisableThreadLibraryCalls, GlobalFix, WriteConsoleInputW, GlobalDeleteAtom, GetEnvironmentStrings, InterlockedExchangeAdd, WaitNamedPipeW, GetPrivateProfileStructW, GetExitCodeProcess, GetSystemTimeAsFileTime, GetLocalTime, EnumCalendarInfoExA, FreeEnvironmentStringsA, CreateIoCompletionPort, OpenSemaphoreA, GetMailslotInfo, GetCommModemStatus, lstrcpyA, HeapWalk, LockFile, EndUpdateResourceA, VerSetConditionMask, GetConsoleCP, GetConsoleAliasW, GetNumberOfConsoleInputEvents, GetProfileStringA, GetQueuedCompletionStatus, AllocConsole, GetNumaNodeProcessorMask, CreateMailslotW, EnumDateFormatsW, SetCommState, FileTimeToLocalFileTime, IsDebuggerPresent, GetSystemTimeAdjustment, _lread, GetConsoleAliasExesLengthA, GetWriteWatch, GetModuleHandleA, GetPrivateProfileStringA, ReadConsoleOutputAttribute, GetFileInformationByHandle, GetProfileStringW, MoveFileA, CreateActCtxW, SetCommMask, SetMessageWaitingIndicator, SetFileApisToANSI, OpenWaitableTimerW, GetProcessShutdownParameters, PeekNamedPipe, FillConsoleOutputCharacterW, FindNextVolumeMountPointA, GetThreadPriority, DeleteAtom, AddAtomW, WriteConsoleOutputCharacterW, QueryDosDeviceA, GetConsoleAliasExesW, GetBinaryTypeA, RaiseException, GetStartupInfoA, IsBadReadPtr, EnterCriticalSection, GetModuleFileNameW, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, GetProcAddress, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, SetLastError, SetHandleCount, GetStdHandle, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetModuleFileNameA, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, HeapFree, VirtualFree, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleW, SetFilePointer, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, CloseHandle, CreateFileA

USER32.dll

OemToCharW

Version Infos

Description	Data
Translations	0x0025 0x023e

• kde.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	04:02:28
Start date:	25/02/2022
Path:	C:\Users\user\Desktop\kde.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kde.exe"
Imagebase:	0x400000
File size:	1235968 bytes
MD5 hash:	2A597D25BBECFCA9550DF0D6F48BCAFB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000003.294601928.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.299484434.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.304905986.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.335103193.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.302219362.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000000.303147147.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000000.00000002.333388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	04:02:37
Start date:	25/02/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388
Imagebase:	0x300000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Entrypoint:	0x40abe0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5FEE5FF6 [Thu Dec 31 23:34:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bb691abe2029e4024abbec6edd66f52e

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24f86	0x25000	False	0.428176467483	data	6.26658613282	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x26000	0x27b36c4	0xebc00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x27da000	0x89b0	0x8a00	False	0.603374094203	data	5.73223003631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27e3000	0x14058	0x14200	False	0.0694026591615	data	0.903465809032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type
RT_CURSOR	0x27e0680	0x130	data
RT_CURSOR	0x27e07b0	0xf0	data
RT_CURSOR	0x27e08a0	0x10a8	dBase III DBT, version number 0, next free block index 40
RT_CURSOR	0x27e1978	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
RT_ICON	0x27da4b0	0x6c8	data
RT_ICON	0x27dab78	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x27db0e0	0x10a8	data
RT_ICON	0x27dc188	0x988	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x27dcb10	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x27dcfc8	0x25a8	data
RT_ICON	0x27df570	0x10a8	data
RT_STRING	0x27e2368	0x1ac	data
RT_STRING	0x27e2518	0x36c	data
RT_STRING	0x27e2888	0x128	data
RT_ACCELERATOR	0x27e0660	0x20	data
RT_ACCELERATOR	0x27e0640	0x20	data
RT_GROUP_CURSOR	0x27e1948	0x30	data
RT_GROUP_CURSOR	0x27e2220	0x14	data
RT_GROUP_ICON	0x27dcf78	0x4c	data
RT_GROUP_ICON	0x27e0618	0x22	data
RT_VERSION	0x27e2238	0x130	data

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.635715788071644
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kde.exe
File size:	1235968
MD5:	2a597d25bbecfca9550df0d6f48bcafb
SHA1:	5aa68ba69c391a3bcc93e88378a4e4818a2a9181
SHA256:	532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
SHA512:	e5b2799fab9f63de7162d665ea5e8356d54c3ca368f58b4679211cd87521db4d9f80bf2c8104b32e3f3c4d712af2a971cff92406ad22a38295928376fa25b3b1
SSDEEP:	24576:XPT/TXZ/ngay5PIhCPgI65AzwWK1fraAhdDRjH2Msfwpu:TTpgICiuGfrn7DRjWMVu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............VB......VT......................VS......VC......VF.....Rich............................PE..L...._._...........

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24a4c	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27da000	0x89b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27e3000	0x196c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x80b8	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8070	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x37c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kde.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kde.exe_ed834321750559f607ef26d0f78c84fecfbdd8_3266afc3_0761b0bc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3AD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA69C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7F4.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

Windows Analysis Report
kde.exe