General

  • Target

    a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a

  • Size

    4.4MB

  • Sample

    220630-yc6m9scad8

  • MD5

    364526dd099a238f2351e994be7a912c

  • SHA1

    d8f39848296c18372421bba022bd62a688adcd0c

  • SHA256

    a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a

  • SHA512

    67ab390b2635c36f180659401f4877bc72600bc27b53c46b06ca9f08eb82e5a3449069a9c6463e43d7803e3741ce86569c97c822f018405b54599981286512ed

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

108.62.141.152:443

192.241.101.68:443

23.106.123.249:443

Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a

    • Size

      4.4MB

    • MD5

      364526dd099a238f2351e994be7a912c

    • SHA1

      d8f39848296c18372421bba022bd62a688adcd0c

    • SHA256

      a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a

    • SHA512

      67ab390b2635c36f180659401f4877bc72600bc27b53c46b06ca9f08eb82e5a3449069a9c6463e43d7803e3741ce86569c97c822f018405b54599981286512ed

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks