General
Target

c7387f1ae36b2649856c5077edb63e70.exe

Size

374KB

Sample

211123-k1794scgd8

Score
10/10
MD5

c7387f1ae36b2649856c5077edb63e70

SHA1

27163fe328de1b1fdbc3018c447f68ebb0dc9776

SHA256

c3315d1c3860a9a019c4693680a9d4522a81f3cc804aef5fbb760048401a44af

SHA512

138507b8e112c150ddcd576e9e0b979304cda1e832dc565162f6b95ebcf76dfe13af8d55a9896f4b562e29732788871e77f6355f653acbc3ef56749bed98016d

Malware Config

Extracted

Family

cryptbot

C2

daqsml22.top

morkjm02.top

Attributes
payload_url
http://mywmis14.top/download.php?file=kumasi.exe

Extracted

Family

danabot

C2

142.11.244.223:443

23.106.122.139:443

Attributes
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Targets
Target

c7387f1ae36b2649856c5077edb63e70.exe

MD5

c7387f1ae36b2649856c5077edb63e70

Filesize

374KB

Score
10/10
SHA1

27163fe328de1b1fdbc3018c447f68ebb0dc9776

SHA256

c3315d1c3860a9a019c4693680a9d4522a81f3cc804aef5fbb760048401a44af

SHA512

138507b8e112c150ddcd576e9e0b979304cda1e832dc565162f6b95ebcf76dfe13af8d55a9896f4b562e29732788871e77f6355f653acbc3ef56749bed98016d

Tags

Signatures

  • CryptBot

    Description

    A C++ stealer distributed widely in bundle with other software.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot Loader Component

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  N/A

                  behavioral1

                  Score
                  10/10