danabot | d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c | Triage

Submit
Reports

Overview

overview

Static

static

ab97379430...15.exe

windows7_x64

ab97379430...15.exe

windows10_x64

Sharing

General

Target

ab97379430925c314d088393a8b39e15
Size

1.1MB
Sample

210725-r2tmkt74a6
MD5

ab97379430925c314d088393a8b39e15
SHA1

f6f67f43bedd372da5cfcb18dae42e7139d25c04
SHA256

d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c
SHA512

63b82abdf1db7c0ef80dd2cce925f2aafb0ed7d55931b35ea8f244153b5e027c689623024f114d13bcb31d189e6a8ddcec289f7a2cac9f8c4b2e38cd67c2922d

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ab97379430925c314d088393a8b39e15.exe

Resource

win7v20210410

danabot 4 banker discovery persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ab97379430925c314d088393a8b39e15.exe

Resource

win10v20210408

danabot 4 banker discovery persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

4

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Targets

- Target
  
  ab97379430925c314d088393a8b39e15
- Size
  
  1.1MB
- MD5
  
  ab97379430925c314d088393a8b39e15
- SHA1
  
  f6f67f43bedd372da5cfcb18dae42e7139d25c04
- SHA256
  
  d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c
- SHA512
  
  63b82abdf1db7c0ef80dd2cce925f2aafb0ed7d55931b35ea8f244153b5e027c689623024f114d13bcb31d189e6a8ddcec289f7a2cac9f8c4b2e38cd67c2922d
Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

danabot4bankerdiscoverypersistencespywarestealertrojan

behavioral2

danabot4bankerdiscoverypersistencespywarestealertrojan

© 2018-2024

Terms | Privacy