General
-
Target
run.zip
-
Size
418KB
-
Sample
200402-t8d1ab7f1n
-
MD5
304fea62b42284a0e5e76cd3380193f7
-
SHA1
f29e671f42fa39e75f8d68500094aa4f15334d94
-
SHA256
49b4263f1b3d4f76fdbfc96d310967a5eb620723bfc3f3380e41cff42152941c
-
SHA512
52f723848f7f8b4bd7977e7677d597a9bdb27e075042781264ef066a98982b9036408b45941cbabf21767710d9ddac8037b54e0937fead94e22a722861b6b34b
Behavioral task
behavioral1
Sample
run.bat
Resource
win7v200217
Malware Config
Extracted
danabot
209.182.218.222
185.227.109.40
64.188.12.140
64.188.19.39
151.132.52.6
60.215.126.177
241.204.205.22
226.142.229.160
75.21.103.39
185.181.8.49
187.237.21.167
129.255.179.202
177.40.161.5
27.109.5.166
28.63.88.50
78.103.173.2
123.236.244.164
Targets
-
-
Target
run.bat
-
Size
25B
-
MD5
ae427234cb9d801f7bde9cdda8dd6abe
-
SHA1
8a9e82935ffc899cb98c12091315460a008f75d6
-
SHA256
ae817f0b25a5393941c27b2136a58b7d1b47c6f7df2db0e850aae83cda20651c
-
SHA512
21103b16f6d35199c1892e7e1fddbcc1f23fba24db5c48d79780d553de4cd11d565f959f2f334416a8fa7bc9340c59ee4e17ab199bb37b1032f697bd1c179a0c
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-