hosts.exe

General
Target

hosts.exe

Size

5MB

Sample

210409-2dgeh4hsaj

Score
10 /10
MD5

b768a6b0c597fa083d90582e77de79e7

SHA1

47c4e14037d68de788fbe661d7cd28f3434d1ad7

SHA256

8b6517bf35e770e8ba3d0e248c9cd1545e0a2a9234f0ff9746853b5111cbe172

SHA512

12d56bf6cb1c48b0cbba4cb6eeb6eec6222f175304994370978ec91cb482f9b8b91573af0f48c77a42a327abde50d1a737494528a29ccf471ea984ce6b654b10

Malware Config

Extracted

Family danabot
Version 1827
Botnet 3
C2

23.106.123.249:443

23.106.123.141:443

23.254.225.170:443

134.119.186.216:443

Attributes
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
rsa_pubkey.plain
rsa_pubkey.plain
Targets
Target

hosts.exe

MD5

b768a6b0c597fa083d90582e77de79e7

Filesize

5MB

Score
10 /10
SHA1

47c4e14037d68de788fbe661d7cd28f3434d1ad7

SHA256

8b6517bf35e770e8ba3d0e248c9cd1545e0a2a9234f0ff9746853b5111cbe172

SHA512

12d56bf6cb1c48b0cbba4cb6eeb6eec6222f175304994370978ec91cb482f9b8b91573af0f48c77a42a327abde50d1a737494528a29ccf471ea984ce6b654b10

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Blocklisted process makes network request

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops desktop.ini file(s)

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation