d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

General
Target

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

Size

1MB

Sample

220112-3rfslsefem

Score
10 /10
MD5

3e4ba6b9dd120bbeb6e828c6c6f69aa7

SHA1

6c87adedd42d47721fa59327a5bbf9ff4d5b5c77

SHA256

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

SHA512

759cd51f63d438773ec8e859643774e6e52c0846f6536ad6364f3ecf86f1e6385c1acb80abaf27271b61fe8ea2896a26d59606240f78e94203f4f8aa61f78713

Malware Config

Extracted

Family danabot
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family danabot
Version 2108
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main
rsa_privkey.plain
rsa_pubkey.plain
Targets
Target

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

MD5

3e4ba6b9dd120bbeb6e828c6c6f69aa7

Filesize

1MB

Score
10/10
SHA1

6c87adedd42d47721fa59327a5bbf9ff4d5b5c77

SHA256

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

SHA512

759cd51f63d438773ec8e859643774e6e52c0846f6536ad6364f3ecf86f1e6385c1acb80abaf27271b61fe8ea2896a26d59606240f78e94203f4f8aa61f78713

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot Loader Component

  • suricata: ET MALWARE Danabot Key Exchange Request

    Description

    suricata: ET MALWARE Danabot Key Exchange Request

    Tags

  • Blocklisted process makes network request

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation