danabot | 7723ef735f4c131fad282ca59943079710a91d13011a025ad12ce9828d10f187 | Triage

Sharing

General

Target

SecuriteInfo.com.Dropped.Trojan.GenericKD.46121735.25361.5645
Size

1.2MB
Sample

210418-8982nwsk5j
MD5

9f4f0db4cc105c01d0d018bfae0ce36d
SHA1

01fae7a54ed997d786eeabab6f852f86ff3bc358
SHA256

7723ef735f4c131fad282ca59943079710a91d13011a025ad12ce9828d10f187
SHA512

6e6f11ed540a4d3c93f654f4e4ae5faa00b6989bbed5efb210485baf48b4f863c135ef869d4722fe4755e19774f89c64bd1b4998e114729f259a83196a4ef977

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.185:443

192.210.198.12:443

23.254.225.170:443

23.106.123.141:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  SecuriteInfo.com.Dropped.Trojan.GenericKD.46121735.25361.5645
- Size
  
  1.2MB
- MD5
  
  9f4f0db4cc105c01d0d018bfae0ce36d
- SHA1
  
  01fae7a54ed997d786eeabab6f852f86ff3bc358
- SHA256
  
  7723ef735f4c131fad282ca59943079710a91d13011a025ad12ce9828d10f187
- SHA512
  
  6e6f11ed540a4d3c93f654f4e4ae5faa00b6989bbed5efb210485baf48b4f863c135ef869d4722fe4755e19774f89c64bd1b4998e114729f259a83196a4ef977
Score

10^/10

danabot 3 banker discovery spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

danabot3bankerdiscoveryspywarestealertrojan

behavioral2

danabot3bankerdiscoveryspywarestealertrojan