General

  • Target

    lEDVIkQSVYhQAzRgNIlEfQ.dll

  • Size

    355KB

  • Sample

    200319-gqzhmzjadx

  • MD5

    edb09790e89ee476cfb7e66a1f7cad7b

  • SHA1

    f25e69a0447936ec278808bdfb942a4e7125c46c

  • SHA256

    0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

  • SHA512

    ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

Malware Config

Extracted

Family

danabot

C2

209.182.218.222

185.227.109.40

185.136.165.128

161.129.65.197

217.182.56.71

254.55.37.53

228.175.167.154

56.38.135.17

168.127.65.186

185.181.8.49

177.53.120.108

157.123.89.246

238.110.47.221

80.48.35.224

114.236.40.89

33.249.82.114

rsa_pubkey.plain

Targets

    • Target

      lEDVIkQSVYhQAzRgNIlEfQ.dll

    • Size

      355KB

    • MD5

      edb09790e89ee476cfb7e66a1f7cad7b

    • SHA1

      f25e69a0447936ec278808bdfb942a4e7125c46c

    • SHA256

      0578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93

    • SHA512

      ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks