1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2

General
Target

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2

Size

1MB

Sample

220117-11dcqsdad3

Score
10 /10
MD5

67c56114c8ad71ae8d5490f2aed56107

SHA1

631459c6a43f3c303d011436d4ad4a620b3ca336

SHA256

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2

SHA512

5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9

Malware Config

Extracted

Family danabot
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader
rsa_pubkey.plain
rsa_privkey.plain

Extracted

Family danabot
Version 2108
Botnet 4
C2

103.175.16.113:443

103.175.16.114:443

Attributes
embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main
rsa_privkey.plain
rsa_pubkey.plain
Targets
Target

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2

MD5

67c56114c8ad71ae8d5490f2aed56107

Filesize

1MB

Score
10/10
SHA1

631459c6a43f3c303d011436d4ad4a620b3ca336

SHA256

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2

SHA512

5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9

Tags

Signatures

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Danabot Loader Component

  • Blocklisted process makes network request

  • Sets DLL path for service in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation