57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

Target

Size

14MB

Sample

220111-szqyfagba2

Score

10 ^/10

MD5

cbac8f0600345f5fdc38a4c9f41e21f3

SHA1

606f627a922e4a22cc139474866559dabea1f0d5

SHA256

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

SHA512

54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109

danabot 4 banker discovery persistence spyware stealer trojan

Extracted

Family	danabot
Version	2108
Botnet	4
C2	192.119.110.4:443 103.175.16.113:443 192.119.110.4:443 103.175.16.113:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type main
rsa_privkey.plain
rsa_pubkey.plain

Target

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

MD5

cbac8f0600345f5fdc38a4c9f41e21f3

Filesize

14MB

Score

10^/10

SHA1

606f627a922e4a22cc139474866559dabea1f0d5

SHA256

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

SHA512

54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109

Signatures

Danabot
Description

Danabot is a modular banking Trojan that has been linked with other malware.
Tags

trojan banker danabot
Blocklisted process makes network request
Sets DLL path for service in the registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

4 danabot

10^/10

behavioral1

danabot 4 banker discovery persistence spyware stealer trojan

10^/10

behavioral2

danabot 4 banker discovery persistence spyware stealer trojan

10^/10

Extracted

Tags

Signatures

Danabot

Description

Tags

Blocklisted process makes network request

Sets DLL path for service in the registry

Tags

TTPs

Sets service image path in registry

Tags

TTPs

Reads user/profile data of web browsers

Description

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Enumerates connected drives

Description

TTPs

Drops file in System32 directory

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2