General

  • Target

    9e4a64c4fa6e39c031f18cfcd311b6aed33b8f9b10c889b269a3aa632660939a

  • Size

    3.7MB

  • Sample

    220319-nlfhbsgge7

  • MD5

    b6995dfce95739d32e89823d511a1f88

  • SHA1

    be65ab3e8131596c5dbad4ad0a28d2812c32b247

  • SHA256

    9e4a64c4fa6e39c031f18cfcd311b6aed33b8f9b10c889b269a3aa632660939a

  • SHA512

    ed4b5b6027b7d5ab1095dd38bbdb7cdfde816b659a018d82b03089ff5f918779e56fdd719eda95cf21ac899f1dfbaf004d2ea9286535e874c4fd7c5bf826264f

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

167.114.188.38:443

23.254.118.230:443

51.195.73.129:443

Attributes
  • embedded_hash

    FDF53441EFF9FF204FC962CE9ECC819F

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      9e4a64c4fa6e39c031f18cfcd311b6aed33b8f9b10c889b269a3aa632660939a

    • Size

      3.7MB

    • MD5

      b6995dfce95739d32e89823d511a1f88

    • SHA1

      be65ab3e8131596c5dbad4ad0a28d2812c32b247

    • SHA256

      9e4a64c4fa6e39c031f18cfcd311b6aed33b8f9b10c889b269a3aa632660939a

    • SHA512

      ed4b5b6027b7d5ab1095dd38bbdb7cdfde816b659a018d82b03089ff5f918779e56fdd719eda95cf21ac899f1dfbaf004d2ea9286535e874c4fd7c5bf826264f

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks