General
-
Target
a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4
-
Size
6.2MB
-
Sample
211022-v5cn4sbhd5
-
MD5
b1fdb02f9a318cdff5cd3a4a38fe7037
-
SHA1
873896ece2ef8d9f918715eb1a15a5d30c66c25b
-
SHA256
a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4
-
SHA512
064145e4d384a8332261beb8116620f4cb19ac471a50fb79d5ad74146342d2ddfbda38b20a36ddd134d554ab6024ca7dbc396508be90142482e4e60a94219c76
Static task
static1
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Targets
-
-
Target
a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4
-
Size
6.2MB
-
MD5
b1fdb02f9a318cdff5cd3a4a38fe7037
-
SHA1
873896ece2ef8d9f918715eb1a15a5d30c66c25b
-
SHA256
a24784cc4bd53f7d3ca9700802dd60d01bf245128e95800ccd60841f1e1075f4
-
SHA512
064145e4d384a8332261beb8116620f4cb19ac471a50fb79d5ad74146342d2ddfbda38b20a36ddd134d554ab6024ca7dbc396508be90142482e4e60a94219c76
-
Danabot Loader Component
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-