General
-
Target
590d0d9111ed9bc27b57fbee2298e9eb
-
Size
285KB
-
Sample
211215-pxxfnaadgp
-
MD5
590d0d9111ed9bc27b57fbee2298e9eb
-
SHA1
c548ed16302741a2d626e51823924d7fe7ea1578
-
SHA256
f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138
-
SHA512
2928ac5c5fb6d61338faa873a74e96eb656241802c830f9607e60775f929f1fa56acb638fc95e926de659aaaf3a81a5479e22fce2412b090733bda324728f328
Static task
static1
Behavioral task
behavioral1
Sample
590d0d9111ed9bc27b57fbee2298e9eb.exe
Resource
win7-en-20211208
Malware Config
Extracted
cryptbot
sezsmi32.top
morswd03.top
-
payload_url
http://ekuboh14.top/download.php?file=newish.exe
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Targets
-
-
Target
590d0d9111ed9bc27b57fbee2298e9eb
-
Size
285KB
-
MD5
590d0d9111ed9bc27b57fbee2298e9eb
-
SHA1
c548ed16302741a2d626e51823924d7fe7ea1578
-
SHA256
f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138
-
SHA512
2928ac5c5fb6d61338faa873a74e96eb656241802c830f9607e60775f929f1fa56acb638fc95e926de659aaaf3a81a5479e22fce2412b090733bda324728f328
-
Danabot Loader Component
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-