danabot | c8dd0c191381840bc03ffb8837caa5d34b89b7e98aaafd8f7ed76d4305ea0ef5 | Triage

Sharing

General

Target

c8dd0c191381840bc03ffb8837caa5d34b89b7e98aaafd8f7ed76d4305ea0ef5
Size

1.2MB
Sample

211022-x76q3scaf3
MD5

9cc88dbc9e667adf16792d7af0eb99a7
SHA1

9ce52b79de7dcfcb68b36baaa1566a3d1de95be3
SHA256

c8dd0c191381840bc03ffb8837caa5d34b89b7e98aaafd8f7ed76d4305ea0ef5
SHA512

01833796d1f79c30204955507318d39c884bd8fa82dae6b753c6e6a40ac8ff4eb2629df5652694a41c9492ec376bb1e5ca6d4bcc5c063f37e0690658c76ada84

Score

10^/10

danabot 4 banker discovery trojan

Malware Config

Extracted

Family

danabot

Version

2052

Botnet

4

C2

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Targets

- Target
  
  c8dd0c191381840bc03ffb8837caa5d34b89b7e98aaafd8f7ed76d4305ea0ef5
- Size
  
  1.2MB
- MD5
  
  9cc88dbc9e667adf16792d7af0eb99a7
- SHA1
  
  9ce52b79de7dcfcb68b36baaa1566a3d1de95be3
- SHA256
  
  c8dd0c191381840bc03ffb8837caa5d34b89b7e98aaafd8f7ed76d4305ea0ef5
- SHA512
  
  01833796d1f79c30204955507318d39c884bd8fa82dae6b753c6e6a40ac8ff4eb2629df5652694a41c9492ec376bb1e5ca6d4bcc5c063f37e0690658c76ada84
Score

10^/10

danabot 4 banker discovery trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Suspicious use of NtCreateProcessExOtherParentProcess
- Blocklisted process makes network request
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabot4bankerdiscoverytrojan