danabot | f0bb317cdd6963c218b63c88388d6a487707ad0be26321ece91c5bddc6ff9c62 | Triage

Submit
Reports

Overview

overview

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ฺฺ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

Sharing

General

Target

6083352a__Avast-Free-Anti.zip
Size

1.6MB
Sample

210423-83jy5dg97n
MD5

9c493be4e9e0ed2b6f1c3d0b834bf8f3
SHA1

1431094e25be681190e88ec1f978966f9ad79c91
SHA256

f0bb317cdd6963c218b63c88388d6a487707ad0be26321ece91c5bddc6ff9c62
SHA512

3dd7156be96a3e08eefe3779def66367c1f2e0b3131ad927d74db2525b44c9cd713c2dc76666da711b72826a0a742c11296a61b34842aa749828021953eb746e

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

setup_x86_x64_install.exe

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

setup_x86_x64_install.exe

Resource

win10v20210410

discovery spyware stealer

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

setup_x86_x64_install.exe

Resource

win10v20210408

danabot 3 banker discovery spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

23.106.123.185:443

192.210.198.12:443

23.254.225.170:443

23.106.123.141:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  setup_x86_x64_install.exe
- Size
  
  1.8MB
- MD5
  
  2c121f456cbbde3437f0944ed2436991
- SHA1
  
  6ad7e5cd87e0456e0076a41c21feb1147c7dd6eb
- SHA256
  
  04e341fb5750ca5588ad1340c2a2348a1a128a4a368ab13ad9628f2f49a20298
- SHA512
  
  10163af59e96e81fa89c9b9b0b63a4eb157a2f921b18d1d9dbcd989f2dea71e8f72fb88710f2e419059a0c1e2c536b326f1f74f61727ed86e8f980c087eaeeb2
Score

10^/10

discovery spyware stealer danabot 3 banker trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

discoveryspywarestealer

behavioral3

danabot3bankerdiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy