General
-
Target
1e224644880c67be4e40bf9289e1277094d66e7cf7547bb9bc2290c79bd2ac2e
-
Size
5.6MB
-
Sample
211218-m1zzvaeha3
-
MD5
b07af9e0cae7f5541c447749a0ac2bfb
-
SHA1
5420cdb06b2482f38c63ddf85ca65a4f836c2c42
-
SHA256
1e224644880c67be4e40bf9289e1277094d66e7cf7547bb9bc2290c79bd2ac2e
-
SHA512
26b9dbf93f9bf554e34e86391b3a8c78da25d678d9b9e583f7a77d503da241974320722bfbd948abe640678aa9aaa643acbea471d5e1eb9ab7b1e406ce680a2c
Static task
static1
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Targets
-
-
Target
1e224644880c67be4e40bf9289e1277094d66e7cf7547bb9bc2290c79bd2ac2e
-
Size
5.6MB
-
MD5
b07af9e0cae7f5541c447749a0ac2bfb
-
SHA1
5420cdb06b2482f38c63ddf85ca65a4f836c2c42
-
SHA256
1e224644880c67be4e40bf9289e1277094d66e7cf7547bb9bc2290c79bd2ac2e
-
SHA512
26b9dbf93f9bf554e34e86391b3a8c78da25d678d9b9e583f7a77d503da241974320722bfbd948abe640678aa9aaa643acbea471d5e1eb9ab7b1e406ce680a2c
-
Danabot Loader Component
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-