General

  • Target

    SecuriteInfo.com.Troj.Androm-TY.30287.16181

  • Size

    5.9MB

  • Sample

    210422-4bm7rxfxs6

  • MD5

    9077ee02ee92c4a1f4e874f1f086e220

  • SHA1

    651fd5e02b12155f79313db85e3669a82a528edb

  • SHA256

    488d2bdd81feedeb4b82a8e1acf319c4ad8b6d3170dd877d768430c19513d52c

  • SHA512

    c4aabefd8939e004d1c0616b49e5ef7c192e234bce928a86705549c387f5d371b8048c7d7cf6fe8c985e7cc1e963616875bdda3bffec8a6fcd7cb4c3fb5af388

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.141:443

23.254.225.170:443

23.106.123.185:443

37.220.31.94:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      SecuriteInfo.com.Troj.Androm-TY.30287.16181

    • Size

      5.9MB

    • MD5

      9077ee02ee92c4a1f4e874f1f086e220

    • SHA1

      651fd5e02b12155f79313db85e3669a82a528edb

    • SHA256

      488d2bdd81feedeb4b82a8e1acf319c4ad8b6d3170dd877d768430c19513d52c

    • SHA512

      c4aabefd8939e004d1c0616b49e5ef7c192e234bce928a86705549c387f5d371b8048c7d7cf6fe8c985e7cc1e963616875bdda3bffec8a6fcd7cb4c3fb5af388

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks