General
-
Target
nq8qKG6gEK7T9JHBQ7UA.exe
-
Size
5.2MB
-
Sample
210204-lk378x5m6s
-
MD5
f679b1ac6c3352b57474d05c88c80133
-
SHA1
f7ea6d5eb0cdecdc3ae1c550f7d3430cb490432c
-
SHA256
311a51eef668a68b50238afa2b983f99d8c92149493a63a9aaf64205cee2267b
-
SHA512
31bcae552d0c46361611dc51ebeb79e2bcf776c2167839f3bf6d85c560efce759863f2c24b3d5d5ba4ec374ca0aac22cfe8953f44a78e7d20480f4af14db8e5f
Static task
static1
Behavioral task
behavioral1
Sample
nq8qKG6gEK7T9JHBQ7UA.exe
Resource
win7v20201028
Malware Config
Extracted
danabot
1765
3
193.34.167.163:443
78.138.98.136:443
134.119.186.198:443
172.93.201.39:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
Targets
-
-
Target
nq8qKG6gEK7T9JHBQ7UA.exe
-
Size
5.2MB
-
MD5
f679b1ac6c3352b57474d05c88c80133
-
SHA1
f7ea6d5eb0cdecdc3ae1c550f7d3430cb490432c
-
SHA256
311a51eef668a68b50238afa2b983f99d8c92149493a63a9aaf64205cee2267b
-
SHA512
31bcae552d0c46361611dc51ebeb79e2bcf776c2167839f3bf6d85c560efce759863f2c24b3d5d5ba4ec374ca0aac22cfe8953f44a78e7d20480f4af14db8e5f
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-