General
-
Target
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
Size
5.4MB
-
Sample
211219-v2s7paggd4
-
MD5
6851ee86ef723624b9d8bb881188b745
-
SHA1
bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
-
SHA256
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
SHA512
24ca73eb150904362a14577bbbd88f585412f1b1e660631ae7614d80d0dbea58d877548d8f816e56d76933bdc8af734051183624e728b2653a59713f7e75c7fa
Static task
static1
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Targets
-
-
Target
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
Size
5.4MB
-
MD5
6851ee86ef723624b9d8bb881188b745
-
SHA1
bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
-
SHA256
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
SHA512
24ca73eb150904362a14577bbbd88f585412f1b1e660631ae7614d80d0dbea58d877548d8f816e56d76933bdc8af734051183624e728b2653a59713f7e75c7fa
-
Danabot Loader Component
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-