General

  • Target

    c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin

  • Size

    4.4MB

  • Sample

    210125-x8xjd47fja

  • MD5

    c55a1a3a135dcc3a771ea4648862a202

  • SHA1

    7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8

  • SHA256

    c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d

  • SHA512

    c1254cad4d620b96a2a620ef54a3c6391a3ddfece27819348cac5166489f788b827828f227c2dd5f893152d5c591eb1f63cfe14e99ad098f14b5b9ff59fce521

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

104.144.64.163:443

Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin

    • Size

      4.4MB

    • MD5

      c55a1a3a135dcc3a771ea4648862a202

    • SHA1

      7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8

    • SHA256

      c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d

    • SHA512

      c1254cad4d620b96a2a620ef54a3c6391a3ddfece27819348cac5166489f788b827828f227c2dd5f893152d5c591eb1f63cfe14e99ad098f14b5b9ff59fce521

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks