General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.46108979.11616.31973

  • Size

    1.1MB

  • Sample

    210416-84bk9h1kka

  • MD5

    20a6f20deda04de07d56e4ccaf6d27a5

  • SHA1

    7972c9024320a33abfc1db33e04af1600006e7ad

  • SHA256

    76ddf24374fc1975cbdeb30718badfa60d15ba78f4123e56c46c5f370622ef77

  • SHA512

    346e4b07634dc8e7427e9805788e35d42b735bb0ec2b2749419d3e77fb5a6e19ac617110559e49e269011fafd4ec26d96f69f870de5d9c8d367c63827d5f25b4

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

37.220.31.94:443

192.210.198.12:443

23.106.123.185:443

192.236.147.83:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Trojan.GenericKD.46108979.11616.31973

    • Size

      1.1MB

    • MD5

      20a6f20deda04de07d56e4ccaf6d27a5

    • SHA1

      7972c9024320a33abfc1db33e04af1600006e7ad

    • SHA256

      76ddf24374fc1975cbdeb30718badfa60d15ba78f4123e56c46c5f370622ef77

    • SHA512

      346e4b07634dc8e7427e9805788e35d42b735bb0ec2b2749419d3e77fb5a6e19ac617110559e49e269011fafd4ec26d96f69f870de5d9c8d367c63827d5f25b4

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks