General
-
Target
b386274d567e9a00107ff14e2068a0784770e73ed63c7693ad1702273d5c259f
-
Size
5.5MB
-
Sample
211209-v3k8gadad5
-
MD5
5099479bb0226b5ac90a335c5c50b8bb
-
SHA1
3b622ad14c4704f95377aa376e8341da434a8e9e
-
SHA256
b386274d567e9a00107ff14e2068a0784770e73ed63c7693ad1702273d5c259f
-
SHA512
fc4922d01d33b63b3ffa2d80b7a0fc86e1f612b6b8293a335a516b42f9be813d31a685128c7dfea7eb58133cdec36ba05c05abc502ba5ecd9ac9610ce8b4b5e3
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Targets
-
-
Target
b386274d567e9a00107ff14e2068a0784770e73ed63c7693ad1702273d5c259f
-
Size
5.5MB
-
MD5
5099479bb0226b5ac90a335c5c50b8bb
-
SHA1
3b622ad14c4704f95377aa376e8341da434a8e9e
-
SHA256
b386274d567e9a00107ff14e2068a0784770e73ed63c7693ad1702273d5c259f
-
SHA512
fc4922d01d33b63b3ffa2d80b7a0fc86e1f612b6b8293a335a516b42f9be813d31a685128c7dfea7eb58133cdec36ba05c05abc502ba5ecd9ac9610ce8b4b5e3
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot Loader Component
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-