danabot | ac94e331b38a4f08aae13033be47c7534f8065730756c0971174031794b31c26 | Triage

Sharing

General

Target

ac94e331b38a4f08aae13033be47c7534f8065730756c0971174031794b31c26
Size

2.1MB
Sample

221128-mg376afe53
MD5

bea42b6875eeb5021bddea3fab1066ee
SHA1

46de5e226fe73309dd3b162de70a574d33d4aeb9
SHA256

ac94e331b38a4f08aae13033be47c7534f8065730756c0971174031794b31c26
SHA512

76c0170f79975607316cf7f6355e57cfd2a48a751cf8a24d86ab658f6a6756e9c9f12d0dca25832e59010b7a5322b5899dfe72cdbc26bf8dab5803c318d9a3ed
SSDEEP

49152:oKB1Flu1JIKJv9lEWv0/WNS3C7QcHggNKTKp10MTStC2OB:BYJFlEMcnQgvMTp2M

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

181.63.44.194

207.148.83.108

45.77.40.71

87.115.138.169

24.229.48.7

116.111.206.27

45.196.143.203

218.65.3.199

131.59.110.186

113.81.97.96

rsa_pubkey.plain

Targets

- Target
  
  CRA_INV_2019_831222351365/CRA_INV_2019_831222351365.vbs
- Size
  
  24.3MB
- MD5
  
  350e751bb68ade139e174d65008eebe0
- SHA1
  
  f235f388686573edd1475f337c9b5b34afd4b9e1
- SHA256
  
  d39e3c62fb0b70846240f3d73a3885d5024eebcc9e61fa77f5ebbb450fbf7620
- SHA512
  
  3b34c36fd8e2e9b83150cfe652bc34c615b0017174f35d4ba2513d63b73aa51ae75c928f7e6307bd29d9adeb3222cb6ba8f19c0feeab53d2cf2f66ca43394f47
- SSDEEP
  
  6144:tJGfk3YNoB2OmKvIbvSGF2qU4DZA3fX680UPUXzmcTc8cxhTWMRA4PZUhQKsTRIq:WnhrO
Score

10^/10

danabot banker trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotbankertrojan

behavioral2