Overview

overview

10

Static

static

lchosts.exe

windows7_x64

10

lchosts.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lchosts.exe

  • Size

    6.0MB

  • Sample

    210524-7s8k8ndvb2

  • MD5

    96c614ab093dfd151fad5d1e86be6c78

  • SHA1

    b28028e1a373ee3bd7052db68a9e0d1139239bfc

  • SHA256

    37ac55376fbefed78ed34839833e8c8aa50aff9f8ae47cc70317e502c8e961f2

  • SHA512

    c18c6f65fe852fc63c80e84c6b75c9b55e9b4fd41671d0932412771730354b7adc635846a0437a4d24e8243447cffbaaf94b93a7db9b7f5edc6de65ba8b66a21

Score
10/10
danabot3bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443
Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      lchosts.exe

    • Size

      6.0MB

    • MD5

      96c614ab093dfd151fad5d1e86be6c78

    • SHA1

      b28028e1a373ee3bd7052db68a9e0d1139239bfc

    • SHA256

      37ac55376fbefed78ed34839833e8c8aa50aff9f8ae47cc70317e502c8e961f2

    • SHA512

      c18c6f65fe852fc63c80e84c6b75c9b55e9b4fd41671d0932412771730354b7adc635846a0437a4d24e8243447cffbaaf94b93a7db9b7f5edc6de65ba8b66a21

    Score
    10/10
    danabot3bankerdiscoveryspywarestealertrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks