klok.exe

General
Target

klok.exe

Size

5MB

Sample

210418-l698b68z8a

Score
10 /10
MD5

f8206a65ddbdaf77b5f8be6599081cff

SHA1

c9929afc9c726e69a3aaaebb1810a93877d99e69

SHA256

baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3

SHA512

ffedbbe897519d928586c1b09e9c7d4930ad6d98de36093d27f903c5b0572ddb10c065c3a05e13829cfe93932bb77f62812c3f99553c0a84f7a8a863f575deb6

Malware Config

Extracted

Family danabot
Version 1827
Botnet 3
C2

23.106.123.185:443

192.210.198.12:443

23.254.225.170:443

23.106.123.141:443

Attributes
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
rsa_pubkey.plain
rsa_pubkey.plain
Targets
Target

klok.exe

MD5

f8206a65ddbdaf77b5f8be6599081cff

Filesize

5MB

Score
10 /10
SHA1

c9929afc9c726e69a3aaaebb1810a93877d99e69

SHA256

baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3

SHA512

ffedbbe897519d928586c1b09e9c7d4930ad6d98de36093d27f903c5b0572ddb10c065c3a05e13829cfe93932bb77f62812c3f99553c0a84f7a8a863f575deb6

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Blocklisted process makes network request

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops desktop.ini file(s)

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation