General
-
Target
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54
-
Size
5.4MB
-
Sample
211219-n4mz5ahagp
-
MD5
4e07d0940260e75233155f4ed5ecca68
-
SHA1
a632e1724d139e684ebb8331e136d95abbb1d576
-
SHA256
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54
-
SHA512
dcb5d48d26bea6c3a882cfa081008405361edf686e1306b2f546e89f758360a9956d39365789b4603d09406f4c7afbde9ae647ae6b44f738990c9624fd351f26
Static task
static1
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Targets
-
-
Target
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54
-
Size
5.4MB
-
MD5
4e07d0940260e75233155f4ed5ecca68
-
SHA1
a632e1724d139e684ebb8331e136d95abbb1d576
-
SHA256
5c2d31cdb374ea1186d985bd47b7f5aa6bafd53b3228edd32ee57e6e0a408f54
-
SHA512
dcb5d48d26bea6c3a882cfa081008405361edf686e1306b2f546e89f758360a9956d39365789b4603d09406f4c7afbde9ae647ae6b44f738990c9624fd351f26
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-