Resubmissions

22-10-2024 00:20

241022-amwdaavhka 10

22-10-2024 00:16

241022-akkh1axdjl 10

22-10-2024 00:12

241022-ag8fnaxbnk 9

22-10-2024 00:09

241022-afjqxaxalp 8

22-10-2024 00:06

241022-adv16awgrr 6

General

  • Target

    WaveInstaller.exe

  • Size

    2.3MB

  • Sample

    241022-amwdaavhka

  • MD5

    215d509bc217f7878270c161763b471e

  • SHA1

    bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9

  • SHA256

    984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

  • SHA512

    68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b

  • SSDEEP

    49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Targets

    • Target

      WaveInstaller.exe

    • Size

      2.3MB

    • MD5

      215d509bc217f7878270c161763b471e

    • SHA1

      bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9

    • SHA256

      984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

    • SHA512

      68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b

    • SSDEEP

      49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

    • Chimera

      Ransomware which infects local and network files, often distributed via Dropbox links.

    • Chimera Ransomware Loader DLL

      Drops/unpacks executable file which resembles Chimera's Loader.dll.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Modifies WinLogon for persistence

    • Renames multiple (3271) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks