General

  • Target

    2809de5c1d9de29a85dcd05e179b70e4.exe

  • Size

    1.2MB

  • Sample

    210523-nwbkta9q12

  • MD5

    2809de5c1d9de29a85dcd05e179b70e4

  • SHA1

    5d8814ebcaabf09d9e7b033e105371367a9e09f2

  • SHA256

    ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

  • SHA512

    1e497983843c3b5b82f000a9602dc6ae64abc3a4841ebfc015d02686eba66a787e67215ba3d76b523020d0f053a5340fcabf092d231f1d59a8db011226b69bb9

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      2809de5c1d9de29a85dcd05e179b70e4.exe

    • Size

      1.2MB

    • MD5

      2809de5c1d9de29a85dcd05e179b70e4

    • SHA1

      5d8814ebcaabf09d9e7b033e105371367a9e09f2

    • SHA256

      ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

    • SHA512

      1e497983843c3b5b82f000a9602dc6ae64abc3a4841ebfc015d02686eba66a787e67215ba3d76b523020d0f053a5340fcabf092d231f1d59a8db011226b69bb9

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks