General
-
Target
Loader.exe
-
Size
16.6MB
-
Sample
240620-xkvejawhkq
-
MD5
d4c24856daa2edf79bd799e83f0a7e68
-
SHA1
6d75c42674416078e020060ace152eb94b0a47fc
-
SHA256
5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
-
SHA512
6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81
-
SSDEEP
393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Targets
-
-
Target
Loader.exe
-
Size
16.6MB
-
MD5
d4c24856daa2edf79bd799e83f0a7e68
-
SHA1
6d75c42674416078e020060ace152eb94b0a47fc
-
SHA256
5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
-
SHA512
6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81
-
SSDEEP
393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies visiblity of hidden/system files in Explorer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Creates new service(s)
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
2Service Execution
2Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Impair Defenses
1Pre-OS Boot
1Bootkit
1