General
-
Target
395d2c345e8212d9ff97248a13824075.exe
-
Size
641KB
-
Sample
210723-pnf14lckm6
-
MD5
395d2c345e8212d9ff97248a13824075
-
SHA1
8cff8ab4dd9765a60735697d86af2c5d90fdee0f
-
SHA256
7224633aec5f96349eea1bc38ae40d5cbc1d5ed120aee617efca5ba7facafa26
-
SHA512
beeb6bc8769b81df7edf5470921c5c27a686c50405a8f47a1ac00b9a65d3255b69f57094e2055db556c60cb224b133724f8edc69adc0b6b35056acb38847ff86
Malware Config
Extracted
cryptbot
smasrp42.top
morbea04.top
-
payload_url
http://gurdgo06.top/download.php?file=lv.exe
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Targets
-
-
Target
395d2c345e8212d9ff97248a13824075.exe
-
Size
641KB
-
MD5
395d2c345e8212d9ff97248a13824075
-
SHA1
8cff8ab4dd9765a60735697d86af2c5d90fdee0f
-
SHA256
7224633aec5f96349eea1bc38ae40d5cbc1d5ed120aee617efca5ba7facafa26
-
SHA512
beeb6bc8769b81df7edf5470921c5c27a686c50405a8f47a1ac00b9a65d3255b69f57094e2055db556c60cb224b133724f8edc69adc0b6b35056acb38847ff86
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
CryptBot Payload
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-