General

  • Target

    748e0ead4f83adb0e998badcc9162b9b.exe

  • Size

    5.9MB

  • Sample

    210428-3kemkbx1bs

  • MD5

    748e0ead4f83adb0e998badcc9162b9b

  • SHA1

    ace1bba4c0e96cb82ba4dd9b9fbe53e944ebcc83

  • SHA256

    c3a37f9ca1adb4ac16434269e909bbc87fe684cfaf414473ecd8edc499e59fc5

  • SHA512

    151ca0c9ff17ff09fa436ba9892949fe67d4f20cac11be59235c9a5d5fee604a459f57a638202b325fb205a7cf2147032d4d73b010cd54ca76df8d2ff51d54d8

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.236.147.83:443

184.95.51.175:443

23.106.123.185:443

192.210.198.12:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      748e0ead4f83adb0e998badcc9162b9b.exe

    • Size

      5.9MB

    • MD5

      748e0ead4f83adb0e998badcc9162b9b

    • SHA1

      ace1bba4c0e96cb82ba4dd9b9fbe53e944ebcc83

    • SHA256

      c3a37f9ca1adb4ac16434269e909bbc87fe684cfaf414473ecd8edc499e59fc5

    • SHA512

      151ca0c9ff17ff09fa436ba9892949fe67d4f20cac11be59235c9a5d5fee604a459f57a638202b325fb205a7cf2147032d4d73b010cd54ca76df8d2ff51d54d8

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks