General
-
Target
a05d9b29e34317da6d095e7330e6b216.exe
-
Size
5.3MB
-
Sample
210210-evhek12bbn
-
MD5
a05d9b29e34317da6d095e7330e6b216
-
SHA1
4005a2fd5196ad145064278084430e6ef43380ed
-
SHA256
8e76055823664f0cabcd8fdd17ccdef01f0dcc584346b59d8c0dfbfefa547ab2
-
SHA512
488f995c27bb29a0ae789c7d50ccb872b7825eae1c2564f55fd0c9e1811845e24296d8cc8a41d58afa5054f1bba2abeac874913e6bc1baa97ba0cc08740f9ef9
Static task
static1
Behavioral task
behavioral1
Sample
a05d9b29e34317da6d095e7330e6b216.exe
Resource
win7v20201028
Malware Config
Extracted
danabot
1765
3
172.93.201.39:443
134.119.186.198:443
192.236.192.241:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
Targets
-
-
Target
a05d9b29e34317da6d095e7330e6b216.exe
-
Size
5.3MB
-
MD5
a05d9b29e34317da6d095e7330e6b216
-
SHA1
4005a2fd5196ad145064278084430e6ef43380ed
-
SHA256
8e76055823664f0cabcd8fdd17ccdef01f0dcc584346b59d8c0dfbfefa547ab2
-
SHA512
488f995c27bb29a0ae789c7d50ccb872b7825eae1c2564f55fd0c9e1811845e24296d8cc8a41d58afa5054f1bba2abeac874913e6bc1baa97ba0cc08740f9ef9
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-