dana2_main_module.dll

General
Target

dana2_main_module.dll

Size

14MB

Sample

220106-qkhmeabcd2

Score
10 /10
MD5

ccc1cb042ebb862832cc9f593c83a840

SHA1

ffdb2747bbfca03ea0b469a11926957f79a6fe18

SHA256

4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935

SHA512

4ddeed3a27ecb84905f79281bb2c27089351bc09266090acfaa0082eefdaeabcb95eb0657d824b9da4ce9787679c123107b92ad1007ca3c5def132468e37d4e2

Malware Config

Extracted

Family danabot
Version 2108
Botnet 4
C2

142.11.244.223:443

192.236.194.72:443

192.119.110.4:443

Attributes
embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
type
main
rsa_privkey.plain
rsa_pubkey.plain
Targets
Target

dana2_main_module.dll

MD5

ccc1cb042ebb862832cc9f593c83a840

Filesize

14MB

Score
10/10
SHA1

ffdb2747bbfca03ea0b469a11926957f79a6fe18

SHA256

4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935

SHA512

4ddeed3a27ecb84905f79281bb2c27089351bc09266090acfaa0082eefdaeabcb95eb0657d824b9da4ce9787679c123107b92ad1007ca3c5def132468e37d4e2

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Blocklisted process makes network request

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks