intercom.exe

General
Target

intercom.exe

Size

5MB

Sample

210410-fdn7py1pgx

Score
10 /10
MD5

aa93361d01ad033f88e422a2c845b045

SHA1

3bc3c157a3a0e0a1e558458c818345f19cc8112a

SHA256

13f4892e2108e176a73353d8e5b0d1a7c1721eb41b11921ee01300419373b374

SHA512

6fa96cc15642d0869bf90417695332e8a984048bf6e13beb6a7d8fa494386c957d5e960df028157d76d6d915df3bf728c3bf9cfdadfa8e7e86bad6eb51ce8c23

Malware Config

Extracted

Family danabot
Version 1827
Botnet 3
C2

193.34.167.88:443

192.3.26.107:443

23.81.246.201:443

134.119.186.216:443

Attributes
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
rsa_pubkey.plain
rsa_pubkey.plain
Targets
Target

intercom.exe

MD5

aa93361d01ad033f88e422a2c845b045

Filesize

5MB

Score
10 /10
SHA1

3bc3c157a3a0e0a1e558458c818345f19cc8112a

SHA256

13f4892e2108e176a73353d8e5b0d1a7c1721eb41b11921ee01300419373b374

SHA512

6fa96cc15642d0869bf90417695332e8a984048bf6e13beb6a7d8fa494386c957d5e960df028157d76d6d915df3bf728c3bf9cfdadfa8e7e86bad6eb51ce8c23

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Blocklisted process makes network request

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops desktop.ini file(s)

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation