General

  • Target

    5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8

  • Size

    586KB

  • Sample

    200316-9wen9he6qx

  • MD5

    84199f05e4ed67e1e80b1249aff5dbd8

  • SHA1

    0958acfba862f8c7e9a7057d9bd098ffca49b1c1

  • SHA256

    5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8

  • SHA512

    9bf5d946a7a6b91c8aafe85054a0f304fcd09e84bbe75408575f0cdebcb64c080765aeb98a3a165087dda1b594b6d0aa6828697cf6db23490156f57a6444a917

Malware Config

Extracted

Family

danabot

C2

5.61.56.192

5.61.58.130

2.56.212.4

37.149.137.207

160.201.198.109

61.8.211.106

12.37.246.239

93.24.204.214

194.27.196.221

2.56.213.39

rsa_pubkey.plain

Targets

    • Target

      5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8

    • Size

      586KB

    • MD5

      84199f05e4ed67e1e80b1249aff5dbd8

    • SHA1

      0958acfba862f8c7e9a7057d9bd098ffca49b1c1

    • SHA256

      5ad49d198a05d8f867d7a65fb74aa6e50ea1954c25282a4ba419b18bd57883a8

    • SHA512

      9bf5d946a7a6b91c8aafe85054a0f304fcd09e84bbe75408575f0cdebcb64c080765aeb98a3a165087dda1b594b6d0aa6828697cf6db23490156f57a6444a917

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks