danabot | 1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2 | Triage

Submit
Reports

Overview

overview

Static

static

1a5b51c6da...b2.exe

windows7_x64

Resubmissions

17-01-2022 22:06

220117-11dcqsdad3 10

13-01-2022 16:33

220113-t2j4cabegk 10

Sharing

General

Target

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
Size

1.1MB
Sample

220117-11dcqsdad3
MD5

67c56114c8ad71ae8d5490f2aed56107
SHA1

631459c6a43f3c303d011436d4ad4a620b3ca336
SHA256

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
SHA512

5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2.exe

Resource

win7-en-20211208

danabot 4 banker discovery persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Botnet

4

C2

103.175.16.113:443

103.175.16.114:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2108

Botnet

4

C2

103.175.16.113:443

103.175.16.114:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main

rsa_privkey.plain

rsa_pubkey.plain

Targets

- Target
  
  1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
- Size
  
  1.1MB
- MD5
  
  67c56114c8ad71ae8d5490f2aed56107
- SHA1
  
  631459c6a43f3c303d011436d4ad4a620b3ca336
- SHA256
  
  1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
- SHA512
  
  5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9
Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot Loader Component
- Blocklisted process makes network request
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabot4bankerdiscoverypersistencespywarestealertrojan

© 2018-2024

Terms | Privacy