danabot | 5d6b33acd126dae1d806ca4b3a3a85ef55abc3f38c31eef95f295ce81ba901d2 | Triage

Submit
Reports

Overview

overview

Static

static

vps.exe

windows7_x64

vps.exe

windows10_x64

1

Sharing

General

Target

vps.exe
Size

617KB
Sample

200308-wr9j1bk3ra
MD5

163b2c613da6d50487576ea4e155c9ff
SHA1

107c19028feb65133f9c2a83ba26c989cf9ca638
SHA256

5d6b33acd126dae1d806ca4b3a3a85ef55abc3f38c31eef95f295ce81ba901d2
SHA512

cdc718948858762f270b7556d4a8e42193d3aa5db5cd036f2291fa3525bd7eee658414b6fa91c15d66f1e6cba368453b78f50462decb7c26850d19ce655fac0a

Score

10^/10

danabot banker botnet discovery persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

vps.exe

Resource

win7v200217

danabot banker botnet discovery persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

vps.exe

Resource

win10v200217

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

C2

5.61.56.192

5.61.58.130

2.56.212.4

58.188.144.17

123.112.255.121

73.95.154.165

18.179.60.205

47.1.50.27

109.115.156.127

2.56.213.39

226.24.58.229

214.251.0.68

118.124.17.69

32.5.51.86

207.17.93.111

109.80.105.108

rsa_pubkey.plain

Targets

- Target
  
  vps.exe
- Size
  
  617KB
- MD5
  
  163b2c613da6d50487576ea4e155c9ff
- SHA1
  
  107c19028feb65133f9c2a83ba26c989cf9ca638
- SHA256
  
  5d6b33acd126dae1d806ca4b3a3a85ef55abc3f38c31eef95f295ce81ba901d2
- SHA512
  
  cdc718948858762f270b7556d4a8e42193d3aa5db5cd036f2291fa3525bd7eee658414b6fa91c15d66f1e6cba368453b78f50462decb7c26850d19ce655fac0a
Score

10^/10

danabot banker botnet discovery persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Blocklisted process makes network request
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

danabotbankerbotnetdiscoverypersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy