Overview

overview

10

Static

static

3

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

Resubmissions

20-06-2024 20:22

240620-y5qgrazfkk 10

20-06-2024 18:55

240620-xkvejawhkq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.exe

  • Size

    16.6MB

  • Sample

    240620-xkvejawhkq

  • MD5

    d4c24856daa2edf79bd799e83f0a7e68

  • SHA1

    6d75c42674416078e020060ace152eb94b0a47fc

  • SHA256

    5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

  • SHA512

    6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81

  • SSDEEP

    393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop

Score
10/10
danabotmimikatzbankerbootkitbotnetevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      Loader.exe

    • Size

      16.6MB

    • MD5

      d4c24856daa2edf79bd799e83f0a7e68

    • SHA1

      6d75c42674416078e020060ace152eb94b0a47fc

    • SHA256

      5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

    • SHA512

      6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81

    • SSDEEP

      393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop

    Score
    10/10
    evasionexecutionpersistencetrojandanabotmimikatzbankerbootkitbotnetspywarestealer

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks