d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

Target

Size

1MB

Sample

220112-3rfslsefem

Score

10 ^/10

MD5

3e4ba6b9dd120bbeb6e828c6c6f69aa7

SHA1

6c87adedd42d47721fa59327a5bbf9ff4d5b5c77

SHA256

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

SHA512

759cd51f63d438773ec8e859643774e6e52c0846f6536ad6364f3ecf86f1e6385c1acb80abaf27271b61fe8ea2896a26d59606240f78e94203f4f8aa61f78713

danabot 4 banker discovery persistence spyware stealer suricata trojan

Extracted

Family	danabot
Botnet	4
C2	103.175.16.113:443 103.175.16.114:443 103.175.16.113:443 103.175.16.114:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type loader
rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family	danabot
Version	2108
Botnet	4
C2	103.175.16.113:443 103.175.16.114:443 103.175.16.113:443 103.175.16.114:443
Attributes	embedded_hash 422236FD601D11EE82825A484D26DD6F type main
rsa_privkey.plain
rsa_pubkey.plain

Target

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

MD5

3e4ba6b9dd120bbeb6e828c6c6f69aa7

Filesize

1MB

Score

10^/10

SHA1

6c87adedd42d47721fa59327a5bbf9ff4d5b5c77

SHA256

d33414cda6d3dc0469ac0ea732566c2533ac92711f5f4cfab9674b20afd8c18e

SHA512

759cd51f63d438773ec8e859643774e6e52c0846f6536ad6364f3ecf86f1e6385c1acb80abaf27271b61fe8ea2896a26d59606240f78e94203f4f8aa61f78713

Signatures

Danabot
Description

Danabot is a modular banking Trojan that has been linked with other malware.
Tags

trojan banker danabot
Danabot Loader Component
suricata: ET MALWARE Danabot Key Exchange Request
Description

suricata: ET MALWARE Danabot Key Exchange Request
Tags

suricata
Blocklisted process makes network request
Sets DLL path for service in the registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Sets service image path in registry
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Checks installed software on the system
Description

Looks up Uninstall key entries in the registry to enumerate software on the system.
Tags

discovery

TTPs

Query Registry
Enumerates connected drives
Description

Attempts to read the root path of hard drives other than the default C: drive.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

behavioral1

danabot 4 banker discovery persistence spyware stealer suricata trojan

10^/10

behavioral2

danabot 4 banker discovery persistence spyware stealer suricata trojan

10^/10

Extracted

Extracted

Tags

Signatures

Danabot

Description

Tags

Danabot Loader Component

suricata: ET MALWARE Danabot Key Exchange Request

Description

Tags

Blocklisted process makes network request

Sets DLL path for service in the registry

Tags

TTPs

Sets service image path in registry

Tags

TTPs

Loads dropped DLL

Reads user/profile data of web browsers

Description

Tags

TTPs

Checks installed software on the system

Description

Tags

TTPs

Enumerates connected drives

Description

TTPs

Drops file in System32 directory

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2