Malware sandboxing report by Hatching Triage

Resubmissions

17-01-2022 22:06

220117-11dcqsdad3 10

13-01-2022 16:33

220113-t2j4cabegk 10

Sharing

Copy URL

Twitter E-mail

General

Target

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
Size

1MB
Sample

220117-11dcqsdad3
MD5

67c56114c8ad71ae8d5490f2aed56107
SHA1

631459c6a43f3c303d011436d4ad4a620b3ca336
SHA256

1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
SHA512

5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9

Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

danabot

Botnet

103.175.16.113:443

103.175.16.114:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2108

Botnet

103.175.16.113:443

103.175.16.114:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
main

rsa_privkey.plain

rsa_pubkey.plain

Targets

- Target
  
  1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
- Size
  
  1MB
- MD5
  
  67c56114c8ad71ae8d5490f2aed56107
- SHA1
  
  631459c6a43f3c303d011436d4ad4a620b3ca336
- SHA256
  
  1a5b51c6da5399571b495e251c10eae4b9875efb0cdc8e76abd699a887abb1b2
- SHA512
  
  5e652b84508006b8f0cab7b6252a0918dae3fabe48c8ff084d2a4f97ed926532fd60f5c1d9ee0f00d51e8ac25c647948b63aa4689428ab7bd3d19ed13bc65ab9
Score

10^/10

danabot 4 banker discovery persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot Loader Component
- Blocklisted process makes network request
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

static1

Score

N/A

behavioral1

danabot4bankerdiscoverypersistencespywarestealertrojan

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Danabot

Danabot Loader Component

Blocklisted process makes network request

Sets DLL path for service in the registry

Sets service image path in registry

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1