danabot | 0e7a6f68a24dab058792a0f8e5bdd2f7b62fb3caf112e3742c25f204a688594b | Triage

Sharing

General

Target

0e7a6f68a24dab058792a0f8e5bdd2f7b62fb3caf112e3742c25f204a688594b
Size

2.1MB
Sample

220604-xgpd4sfeem
MD5

6c9d00bdd813e7288bb83030e6ec37c5
SHA1

cdd64358fcd7d823282465ce63b8b64ece82a139
SHA256

0e7a6f68a24dab058792a0f8e5bdd2f7b62fb3caf112e3742c25f204a688594b
SHA512

ec3a0fb51154fcad1384f7a868de29962f753caaab3e9a1a8d4c3bb8c2ed2fa02989f06e17c1a9f71e787af6e39fa2e1bda272456723f52271c5b6aed8e537d4

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Targets

- Target
  
  CRA_INV_2019_568865666921/CRA_INV_2019_568865666921.vbs
- Size
  
  22.6MB
- MD5
  
  5d970965b78013545a9c0d32eb10ee61
- SHA1
  
  29c055edc3c0de81add7741034f2aa8f038bc638
- SHA256
  
  50b32f4330ee0822a8010830064aaae8d58a32e556cf77e4dcb624e640ec2234
- SHA512
  
  a4a344f279c156edc1ed6d5c072962006ab84781f9ed5e3b718d94559c3fb6b6dcdf429020a1458528edd957334c718c7fe641117b5f50fad4a2d18ec5b723a5
Score

10^/10

danabot banker trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotbankertrojan

behavioral2

danabotbankertrojan