Overview

overview

10

Static

static

1

Gabriel's ...s).mp3

windows7-x64

1

Gabriel's ...s).mp3

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Gabriel's Message to Bike Thief (320 kbps).mp3

  • Size

    1.2MB

  • Sample

    240804-bqpwca1hqj

  • MD5

    31d707645793d1a2bec01c0aea70544d

  • SHA1

    75cebdbbd30eef5e342ec5405a953b7d3f65cc0b

  • SHA256

    66b077c58bca07756617e3469e3a6238dae76d411a14bc9b7d4986a7cecf6e16

  • SHA512

    1ea3d5fcecb660ff9edcccc654c42472b86eb3971b0d864f7a82c509c046a544185c9d103450c618eaf66e3abc5a65cf846ee480a5e3e5a0325c3961b07a0571

  • SSDEEP

    24576:B2lSxkffvOVT7lnR12C4KzvAs7bTMOYZ1byhlBjVnL5r:UAiv675ikTfMOCyZVV

Score
10/10
danabotfloxifbackdoorbankerbotnetdefense_evasiondiscoverymacropersistencetrojanupxxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      Gabriel's Message to Bike Thief (320 kbps).mp3

    • Size

      1.2MB

    • MD5

      31d707645793d1a2bec01c0aea70544d

    • SHA1

      75cebdbbd30eef5e342ec5405a953b7d3f65cc0b

    • SHA256

      66b077c58bca07756617e3469e3a6238dae76d411a14bc9b7d4986a7cecf6e16

    • SHA512

      1ea3d5fcecb660ff9edcccc654c42472b86eb3971b0d864f7a82c509c046a544185c9d103450c618eaf66e3abc5a65cf846ee480a5e3e5a0325c3961b07a0571

    • SSDEEP

      24576:B2lSxkffvOVT7lnR12C4KzvAs7bTMOYZ1byhlBjVnL5r:UAiv675ikTfMOCyZVV

    Score
    10/10
    danabotfloxifbackdoorbankerbotnetdefense_evasiondiscoverymacropersistencetrojanupxxlm

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Detects Floxif payload

      backdoor

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks