danabot | 4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935 | Triage

Submit
Reports

Overview

overview

Static

static

dana2_main_module.dll

windows7_x64

dana2_main_module.dll

windows10_x64

Sharing

General

Target

dana2_main_module.dll
Size

14.9MB
Sample

220106-qkhmeabcd2
MD5

ccc1cb042ebb862832cc9f593c83a840
SHA1

ffdb2747bbfca03ea0b469a11926957f79a6fe18
SHA256

4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935
SHA512

4ddeed3a27ecb84905f79281bb2c27089351bc09266090acfaa0082eefdaeabcb95eb0657d824b9da4ce9787679c123107b92ad1007ca3c5def132468e37d4e2

Score

10^/10

danabot 4 banker discovery persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

dana2_main_module.dll

Resource

win7-en-20211208

danabot 4 banker discovery persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

dana2_main_module.dll

Resource

win10-en-20211208

danabot 4 banker discovery persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Version

2108

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes

embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
main

rsa_privkey.plain

rsa_pubkey.plain

Targets

- Target
  
  dana2_main_module.dll
- Size
  
  14.9MB
- MD5
  
  ccc1cb042ebb862832cc9f593c83a840
- SHA1
  
  ffdb2747bbfca03ea0b469a11926957f79a6fe18
- SHA256
  
  4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935
- SHA512
  
  4ddeed3a27ecb84905f79281bb2c27089351bc09266090acfaa0082eefdaeabcb95eb0657d824b9da4ce9787679c123107b92ad1007ca3c5def132468e37d4e2
Score

10^/10

danabot 4 banker discovery persistence trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

danabot4bankerdiscoverypersistencetrojan

behavioral2

danabot4bankerdiscoverypersistencetrojan

© 2018-2024

Terms | Privacy