General

  • Target

    7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2

  • Size

    1MB

  • Sample

    220730-18sgmaafg4

  • MD5

    1ef8b148b1b51343c3150d5dad342d3e

  • SHA1

    3d554440983f890cda93149bc4cbfdfad9ac6f3e

  • SHA256

    7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2

  • SHA512

    bedcea3dd21f8772932ac96c26297e7b4823492679af39b0d9d640592d0648f192c7fe78aedf816e5c2acc75c71989a7605d9daf0193a9d2cd099dcc71e3d692

Malware Config

Extracted

Family

danabot

C2

185.43.196.194

170.36.230.93

25.125.161.14

152.163.122.91

252.243.36.124

94.2.203.24

95.179.186.57

58.41.130.190

89.144.25.104

182.54.114.216

rsa_pubkey.plain

Targets

    • Target

      7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2

    • Size

      1MB

    • MD5

      1ef8b148b1b51343c3150d5dad342d3e

    • SHA1

      3d554440983f890cda93149bc4cbfdfad9ac6f3e

    • SHA256

      7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2

    • SHA512

      bedcea3dd21f8772932ac96c26297e7b4823492679af39b0d9d640592d0648f192c7fe78aedf816e5c2acc75c71989a7605d9daf0193a9d2cd099dcc71e3d692

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks