57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

General
Target

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

Size

14MB

Sample

220111-szqyfagba2

Score
10 /10
MD5

cbac8f0600345f5fdc38a4c9f41e21f3

SHA1

606f627a922e4a22cc139474866559dabea1f0d5

SHA256

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

SHA512

54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109

Malware Config

Extracted

Family danabot
Version 2108
Botnet 4
C2

192.119.110.4:443

103.175.16.113:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main
rsa_privkey.plain
rsa_pubkey.plain
Targets
Target

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

MD5

cbac8f0600345f5fdc38a4c9f41e21f3

Filesize

14MB

Score
10/10
SHA1

606f627a922e4a22cc139474866559dabea1f0d5

SHA256

57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

SHA512

54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Blocklisted process makes network request

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation