General
-
Target
setup_x86_x64_install.exe
-
Size
1.7MB
-
Sample
210722-28wk7xav9a
-
MD5
a0c815817a5d6cd64ad038e72dedaee8
-
SHA1
5f9d3eab51421cd8997d4f5715052ce89e23e940
-
SHA256
c017bcbebdb59082e79f2409c23e991948262e7645f191ee1c70c5d9ce3aa9c0
-
SHA512
237a6b85ff1d64b641c761e8280ca199c30592ff589a13279c835cfca016f5006fb44c7fea3b483f505479eafee56963776fee5ea9ae01b640dc88ab31456b78
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Targets
-
-
Target
setup_x86_x64_install.exe
-
Size
1.7MB
-
MD5
a0c815817a5d6cd64ad038e72dedaee8
-
SHA1
5f9d3eab51421cd8997d4f5715052ce89e23e940
-
SHA256
c017bcbebdb59082e79f2409c23e991948262e7645f191ee1c70c5d9ce3aa9c0
-
SHA512
237a6b85ff1d64b641c761e8280ca199c30592ff589a13279c835cfca016f5006fb44c7fea3b483f505479eafee56963776fee5ea9ae01b640dc88ab31456b78
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-