General

  • Target

    SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.1750

  • Size

    1MB

  • Sample

    210408-syvyfjckc6

  • MD5

    845615bf78874fa55758ce6fa4b36084

  • SHA1

    57871e28d04d19bb2f99cfacdc844073418c0d7c

  • SHA256

    ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75

  • SHA512

    7d88605095090bb6aebbd27e4ff76be4de8a85be3a33294938c2faa3151bc063b8add8f05f277642e6f8c9395a136757439943912ba704121e0fbb095462ff5d

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.249:443

23.106.123.141:443

23.254.225.170:443

134.119.186.216:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.1750

    • Size

      1MB

    • MD5

      845615bf78874fa55758ce6fa4b36084

    • SHA1

      57871e28d04d19bb2f99cfacdc844073418c0d7c

    • SHA256

      ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75

    • SHA512

      7d88605095090bb6aebbd27e4ff76be4de8a85be3a33294938c2faa3151bc063b8add8f05f277642e6f8c9395a136757439943912ba704121e0fbb095462ff5d

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks