General

  • Target

    38f2183ab80dfc4f3c61e7df7228db4acf21e339d3c588f25b91030029437bc4

  • Size

    2.4MB

  • Sample

    221218-ne5hwabg35

  • MD5

    5dcd48a0bd3fde2644210494e270babb

  • SHA1

    8f41649be45702cbaf4cf28b786675fcd2147c97

  • SHA256

    38f2183ab80dfc4f3c61e7df7228db4acf21e339d3c588f25b91030029437bc4

  • SHA512

    514271a6d9f3678d0fc0fd92bd35d9ff6f5ebff04baa5fd6c9b4e2a2781f54f3d350e480f0e12b7264064bf174b7b00507bdea0b980407a9d98c8d03fb0a3f81

  • SSDEEP

    49152:20hF3PquFGgGvi30wfVieozy+JHcG75SBDGQ+JqGcYucqDoW1ol:20hhiXi3niNyO7ws4GcCx

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Targets

    • Target

      38f2183ab80dfc4f3c61e7df7228db4acf21e339d3c588f25b91030029437bc4

    • Size

      2.4MB

    • MD5

      5dcd48a0bd3fde2644210494e270babb

    • SHA1

      8f41649be45702cbaf4cf28b786675fcd2147c97

    • SHA256

      38f2183ab80dfc4f3c61e7df7228db4acf21e339d3c588f25b91030029437bc4

    • SHA512

      514271a6d9f3678d0fc0fd92bd35d9ff6f5ebff04baa5fd6c9b4e2a2781f54f3d350e480f0e12b7264064bf174b7b00507bdea0b980407a9d98c8d03fb0a3f81

    • SSDEEP

      49152:20hF3PquFGgGvi30wfVieozy+JHcG75SBDGQ+JqGcYucqDoW1ol:20hhiXi3niNyO7ws4GcCx

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks