CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

New Danabot version doesn't run in CAPEv2

Open yevhenprotsenko opened this issue 3 years ago • 1 comments
trafficstars

Hi guys !

I was investigating a new Danabot version and it doesn't detonate in CAPEv2 sandbox.

sha256: f6fdb459d51408aee8732eab0959d00b4e63651852dd7c37a8fefa328aa7beef f6fdb459d51408aee8732eab0959d00b4e63651852dd7c37a8fefa328aa7beef.zip

Danabot C2:

200.124.189.120:443
23.106.122.14:443
5.9.224.217:443

The original file should drop the rundll32 and inject the final stage into it.

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61

I don't see any anti-features in the code except IsDebugger checking.

Can you please to check it, thanks in advance !

I suspect the issue can be with: SetUnhandledExceptionFilter detected (possible anti-debug).

yevhenprotsenko avatar Mar 03 '22 16:03 yevhenprotsenko

wait msg from Nick ;)

doomedraven avatar Mar 03 '22 16:03 doomedraven

just tested, it detonates now

doomedraven avatar Jan 20 '23 16:01 doomedraven