General

  • Target

    784949d5ab49e5e8783897c2e8cd1815.exe

  • Size

    1.1MB

  • Sample

    210723-sv1pvvt1kj

  • MD5

    784949d5ab49e5e8783897c2e8cd1815

  • SHA1

    056732ccf73a6e3ef5f22e3a058278a57d9c3f51

  • SHA256

    1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d

  • SHA512

    cc81d4a237e5962f770d703451520074bf65a4d614686375cf4aad4f9216cef964b17e17d1fcc0dcb30189dce8852750f892cd3ef2c4407da429945e0a3156dd

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes
  • embedded_hash

    6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain
rsa_pubkey.plain

Targets

    • Target

      784949d5ab49e5e8783897c2e8cd1815.exe

    • Size

      1.1MB

    • MD5

      784949d5ab49e5e8783897c2e8cd1815

    • SHA1

      056732ccf73a6e3ef5f22e3a058278a57d9c3f51

    • SHA256

      1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d

    • SHA512

      cc81d4a237e5962f770d703451520074bf65a4d614686375cf4aad4f9216cef964b17e17d1fcc0dcb30189dce8852750f892cd3ef2c4407da429945e0a3156dd

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks