General

  • Target

    1904179129571057cc163fc3f6098f88dac62e929d1a0fd2f5227122a76fe9ce

  • Size

    2.4MB

  • Sample

    221218-p25ylaca58

  • MD5

    61d988e9e9a8fd2be991708b3ae62d16

  • SHA1

    699c23b11f591eb1da3699d1a438adf4bc90056e

  • SHA256

    1904179129571057cc163fc3f6098f88dac62e929d1a0fd2f5227122a76fe9ce

  • SHA512

    733f09296b567f957b5484dea4a509f470781e045730f7bde42fb15d32f8a67c618c9eab55b599c5e5d0f77714d58c3c901ff57eee852e78e90c8eceb308ae8f

  • SSDEEP

    49152:jRTvDqSU3n1r8bCTV+8f1My3xvBQ5dqfDk2SYS9JHtMzo:hvDqj3n13Rvkq7kdLxtMzo

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Targets

    • Target

      1904179129571057cc163fc3f6098f88dac62e929d1a0fd2f5227122a76fe9ce

    • Size

      2.4MB

    • MD5

      61d988e9e9a8fd2be991708b3ae62d16

    • SHA1

      699c23b11f591eb1da3699d1a438adf4bc90056e

    • SHA256

      1904179129571057cc163fc3f6098f88dac62e929d1a0fd2f5227122a76fe9ce

    • SHA512

      733f09296b567f957b5484dea4a509f470781e045730f7bde42fb15d32f8a67c618c9eab55b599c5e5d0f77714d58c3c901ff57eee852e78e90c8eceb308ae8f

    • SSDEEP

      49152:jRTvDqSU3n1r8bCTV+8f1My3xvBQ5dqfDk2SYS9JHtMzo:hvDqj3n13Rvkq7kdLxtMzo

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks