General

  • Target

    980f95b0766b6becd04bd1efd38f357fca9779b2a506273d25db81a93deadaaf

  • Size

    215KB

  • Sample

    221217-yavg8ahc94

  • MD5

    7556145940a7a9ff2e9a3339611e37cc

  • SHA1

    1253636bed1dad00ff1e44fbe5f40f4d0ec5398b

  • SHA256

    980f95b0766b6becd04bd1efd38f357fca9779b2a506273d25db81a93deadaaf

  • SHA512

    95713809db3f21f578d7e0699bd864e27a06832a45e228560bfe92dfe1ee5d35a797c04ae38103951dbe217c975cc675edb29efdacf4519ca6d65cefb2fbc097

  • SSDEEP

    6144:N9l9aLZX4s5pDayGfMWSPbt6wsg3CDLHU0V6:jlwlIsKNfpaYqSf0O

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Targets

    • Target

      980f95b0766b6becd04bd1efd38f357fca9779b2a506273d25db81a93deadaaf

    • Size

      215KB

    • MD5

      7556145940a7a9ff2e9a3339611e37cc

    • SHA1

      1253636bed1dad00ff1e44fbe5f40f4d0ec5398b

    • SHA256

      980f95b0766b6becd04bd1efd38f357fca9779b2a506273d25db81a93deadaaf

    • SHA512

      95713809db3f21f578d7e0699bd864e27a06832a45e228560bfe92dfe1ee5d35a797c04ae38103951dbe217c975cc675edb29efdacf4519ca6d65cefb2fbc097

    • SSDEEP

      6144:N9l9aLZX4s5pDayGfMWSPbt6wsg3CDLHU0V6:jlwlIsKNfpaYqSf0O

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks