General

  • Target

    f17d3dde9529a1087c2f54362bb88b2cdb809560ed69c45dbc2bd69f85abc551

  • Size

    3.7MB

  • Sample

    220319-wrvs7sfea3

  • MD5

    061a227f79536203b16b2212bc49b166

  • SHA1

    b3e2a59cc159fcf29c8c7d4651bfebc3e854d5cd

  • SHA256

    f17d3dde9529a1087c2f54362bb88b2cdb809560ed69c45dbc2bd69f85abc551

  • SHA512

    8921e37f2d351635a3b76ccfff8705fc3cfa60eec041ba68cc52e505565812ffed489ef86dbd935b683bf9e325fbe8f342a17f09a17c81521e69531747c35146

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

108.62.141.152:443

108.62.118.103:443

192.241.101.68:443

Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      f17d3dde9529a1087c2f54362bb88b2cdb809560ed69c45dbc2bd69f85abc551

    • Size

      3.7MB

    • MD5

      061a227f79536203b16b2212bc49b166

    • SHA1

      b3e2a59cc159fcf29c8c7d4651bfebc3e854d5cd

    • SHA256

      f17d3dde9529a1087c2f54362bb88b2cdb809560ed69c45dbc2bd69f85abc551

    • SHA512

      8921e37f2d351635a3b76ccfff8705fc3cfa60eec041ba68cc52e505565812ffed489ef86dbd935b683bf9e325fbe8f342a17f09a17c81521e69531747c35146

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks