General

  • Target

    dc31178c8e734d726d361bf5179f05b2.exe

  • Size

    1.9MB

  • Sample

    210615-tqzrterxwx

  • MD5

    dc31178c8e734d726d361bf5179f05b2

  • SHA1

    d28f5dd56498248e706a3aad546e0e200f19b3fa

  • SHA256

    473574ab9286caa551c88e2a3ac32e8b7975baac765bf084fd8c6ccb89737666

  • SHA512

    90b1e5a663b6bc8e2b52779259a6d04da5925ca57e02b4bd46165886f16a825336d927b30668df532bcb3d409b7f5247b2245aacac1e1ac691a4bb8a344eb8fb

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

192.210.198.12:443

37.220.31.50:443

184.95.51.183:443

184.95.51.175:443

Attributes
  • embedded_hash

    410EB249B3A3D8613B29638D583F7193

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      dc31178c8e734d726d361bf5179f05b2.exe

    • Size

      1.9MB

    • MD5

      dc31178c8e734d726d361bf5179f05b2

    • SHA1

      d28f5dd56498248e706a3aad546e0e200f19b3fa

    • SHA256

      473574ab9286caa551c88e2a3ac32e8b7975baac765bf084fd8c6ccb89737666

    • SHA512

      90b1e5a663b6bc8e2b52779259a6d04da5925ca57e02b4bd46165886f16a825336d927b30668df532bcb3d409b7f5247b2245aacac1e1ac691a4bb8a344eb8fb

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks