danabot | 00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7 | Triage

Submit
Reports

Overview

overview

Static

static

8

00ffc90fe6...f7.exe

windows7_x64

00ffc90fe6...f7.exe

windows10-2004_x64

Sharing

General

Target

00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7
Size

4.4MB
Sample

220708-h1ftraggb4
MD5

cf2a23761ab9a798816b513be21499e3
SHA1

1cf5eef658b1634260790f1136595824b32503bd
SHA256

00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7
SHA512

e40df6ab6e7eb47cbef2420ba25f54ea263e7fae143badbd829fcbe65907232cc94b1b23549af6f85efb290d049dd67c71b521af30e15883e9abfc84dfec33de

Score

10^/10

danabot 3 banker discovery spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7.exe

Resource

win7-20220414-en

danabot 3 banker discovery spyware stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7.exe

Resource

win10v2004-20220414-en

danabot 3 banker discovery spyware stealer trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

104.144.64.163:443

108.62.141.152:443

108.62.118.103:443

192.241.101.68:443

Attributes

embedded_hash
49574F66CD0103BBD725C08A9805C2BE
type
main

rsa_pubkey.plain

rsa_pubkey.plain

Targets

- Target
  
  00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7
- Size
  
  4.4MB
- MD5
  
  cf2a23761ab9a798816b513be21499e3
- SHA1
  
  1cf5eef658b1634260790f1136595824b32503bd
- SHA256
  
  00ffc90fe64f11be4ad0f101dad20fc5fb4b649aac23ed2e412f08a2c84666f7
- SHA512
  
  e40df6ab6e7eb47cbef2420ba25f54ea263e7fae143badbd829fcbe65907232cc94b1b23549af6f85efb290d049dd67c71b521af30e15883e9abfc84dfec33de
Score

10^/10

danabot 3 banker discovery spyware stealer trojan upx
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Blocklisted process makes network request
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabot3bankerdiscoveryspywarestealertrojanupx

behavioral2

danabot3bankerdiscoveryspywarestealertrojanupx

© 2018-2024

Terms | Privacy