General
-
Target
PCspeeder_4.bin
-
Size
5.1MB
-
Sample
200923-gchld45dnx
-
MD5
f598d0b8bd377286c61624b61a48e9e9
-
SHA1
e23781f538220df5cb5263fa0f9db92db9162bf4
-
SHA256
38f3cba0f8de19bbfe1a9faa79e81d9f4eba08593b3e2c391bf9597ccd9810a1
-
SHA512
cdd14bcb2b608c07c451ea34ba327da2093c53f9c8e9852bb4e53cbcf2a9abfa0c94c09dde01baa580e11d16af49f4377dc52e809f7aaf53b3cb8ee055249720
Static task
static1
Behavioral task
behavioral1
Sample
PCspeeder_4.bin.exe
Resource
win7
Malware Config
Extracted
danabot
89.44.9.132
64.188.23.70
179.43.133.35
45.147.231.218
89.45.4.126
Targets
-
-
Target
PCspeeder_4.bin
-
Size
5.1MB
-
MD5
f598d0b8bd377286c61624b61a48e9e9
-
SHA1
e23781f538220df5cb5263fa0f9db92db9162bf4
-
SHA256
38f3cba0f8de19bbfe1a9faa79e81d9f4eba08593b3e2c391bf9597ccd9810a1
-
SHA512
cdd14bcb2b608c07c451ea34ba327da2093c53f9c8e9852bb4e53cbcf2a9abfa0c94c09dde01baa580e11d16af49f4377dc52e809f7aaf53b3cb8ee055249720
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-