General

  • Target

    SecuriteInfo.com.Trojan.PWS.Stealer.30255.24265.28625

  • Size

    5.9MB

  • Sample

    210409-7knphldxgs

  • MD5

    54045155dcc1fee52ad9c969d7d5386d

  • SHA1

    7b18b20697781ffcc2ee35b1d742b8e13ecfcb53

  • SHA256

    5603b9b42a3fbac96324add022a3f433487d0beed0c56adb791d19d08af887e1

  • SHA512

    df4cbcad31199659e04f76db8a8b00aff1fa00935e1a78d0269b55fc0aab474c52bfb4539e4fb8ab96ba2e2a292157507934988fa76799b459d2c7934aabf3cf

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

193.34.167.88:443

192.210.198.12:443

23.81.246.201:443

192.3.26.107:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Trojan.PWS.Stealer.30255.24265.28625

    • Size

      5.9MB

    • MD5

      54045155dcc1fee52ad9c969d7d5386d

    • SHA1

      7b18b20697781ffcc2ee35b1d742b8e13ecfcb53

    • SHA256

      5603b9b42a3fbac96324add022a3f433487d0beed0c56adb791d19d08af887e1

    • SHA512

      df4cbcad31199659e04f76db8a8b00aff1fa00935e1a78d0269b55fc0aab474c52bfb4539e4fb8ab96ba2e2a292157507934988fa76799b459d2c7934aabf3cf

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks