Resubmissions

21-04-2021 07:08

210421-tvszcna2rn 10

20-04-2021 15:45

210420-ltq5yewapn 8

20-04-2021 15:36

210420-agthzw54hx 8

General

  • Target

    http://192.3.26.118/klok.exe

  • Sample

    210421-tvszcna2rn

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

192.210.198.12:443

37.220.31.94:443

23.254.225.170:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      http://192.3.26.118/klok.exe

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks