Extracted

• • Target

    https://app.mediafire.com/4wqu980yyqesd

  Score

  10^/10

  danabotbankerbootkitbotnetdiscoverypersistenceransomwaretrojanupx

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  behavioral1