General
-
Target
ea25629f3eaf190ab7d1f6d1b1540f2c.exe
-
Size
5.3MB
-
Sample
210211-3ehsn6jste
-
MD5
ea25629f3eaf190ab7d1f6d1b1540f2c
-
SHA1
aba0b98a67e9ea8e32243cef25eff02a84cfddbc
-
SHA256
49771de8bcea44c22d54d1eebc9f05ff0d33f66355fbf9dd77e7e891cd062bcc
-
SHA512
8b1469e27827215fff58160666740bf2edb002c8180def2fe58cb87d1606f60d25df29d7efa5e84dbb896deee36861328b8c70496ec8f95257da3337656b61d9
Static task
static1
Behavioral task
behavioral1
Sample
ea25629f3eaf190ab7d1f6d1b1540f2c.exe
Resource
win7v20201028
Malware Config
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.199:443
172.93.201.39:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
Targets
-
-
Target
ea25629f3eaf190ab7d1f6d1b1540f2c.exe
-
Size
5.3MB
-
MD5
ea25629f3eaf190ab7d1f6d1b1540f2c
-
SHA1
aba0b98a67e9ea8e32243cef25eff02a84cfddbc
-
SHA256
49771de8bcea44c22d54d1eebc9f05ff0d33f66355fbf9dd77e7e891cd062bcc
-
SHA512
8b1469e27827215fff58160666740bf2edb002c8180def2fe58cb87d1606f60d25df29d7efa5e84dbb896deee36861328b8c70496ec8f95257da3337656b61d9
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-