General

  • Target

    d6432b92be7eb3decbfc25b5e8a1b5c8.exe

  • Size

    6.1MB

  • Sample

    210529-7bjxqdn5ja

  • MD5

    d6432b92be7eb3decbfc25b5e8a1b5c8

  • SHA1

    4283fed9989befe8bcb180cb5e43313d8878cc49

  • SHA256

    eab508f41f98339ead04d09fc47c537e6e1b975f8233127d81196196b974bf27

  • SHA512

    e63bef350f31543ddacb7b58fbbc57c4ff478542333c2603b5bfb09267c69f876c115a8b0160b442ab2b9d8dd8eb57b4e4079a907d391595101c71458ad8bcca

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      d6432b92be7eb3decbfc25b5e8a1b5c8.exe

    • Size

      6.1MB

    • MD5

      d6432b92be7eb3decbfc25b5e8a1b5c8

    • SHA1

      4283fed9989befe8bcb180cb5e43313d8878cc49

    • SHA256

      eab508f41f98339ead04d09fc47c537e6e1b975f8233127d81196196b974bf27

    • SHA512

      e63bef350f31543ddacb7b58fbbc57c4ff478542333c2603b5bfb09267c69f876c115a8b0160b442ab2b9d8dd8eb57b4e4079a907d391595101c71458ad8bcca

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks