748984d40e7ab68b0a130a620b550a3d

General
Target

748984d40e7ab68b0a130a620b550a3d

Size

5MB

Sample

211021-thxv4abdck

Score
10 /10
MD5

748984d40e7ab68b0a130a620b550a3d

SHA1

ac800bb6aaf3172d3d0170300f8ba3dc03304b60

SHA256

4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1

SHA512

af6fc23b6ec54e36a150f824060b3b14fbc39c0dd88023bda5891a99d79e6aa81a8300fc053b3f8c004d25399b61e5012898a636b6d3e5e8f695d49df8f93f5c

Malware Config

Extracted

Family danabot
C2

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Targets
Target

748984d40e7ab68b0a130a620b550a3d

MD5

748984d40e7ab68b0a130a620b550a3d

Filesize

5MB

Score
10/10
SHA1

ac800bb6aaf3172d3d0170300f8ba3dc03304b60

SHA256

4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1

SHA512

af6fc23b6ec54e36a150f824060b3b14fbc39c0dd88023bda5891a99d79e6aa81a8300fc053b3f8c004d25399b61e5012898a636b6d3e5e8f695d49df8f93f5c

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot Loader Component

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      9/10