danabot | 858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f
Size

3.9MB
Sample

231118-bpna5agd79
MD5

cac3d966342e978c8604f5dbd3e4352a
SHA1

617e28d9c047dc4bd970bbb1915cc159abc8473e
SHA256

858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f
SHA512

d7eea99be0e9602e7dffb642ce9d3c7f1fbb04bf8fc9cd763cd5c829f41d743e3613b3ecd0e24244787b8d79391e6f6f397d33a41a5bab878a886bde47514eae
SSDEEP

98304:YCHL70XKljH3xzwmGss0VV0B7cOeE8li5o5i:LHL70XsjH3xUmq0VViIPE8l

Score

10^/10

danabot redline 13 banker discovery infostealer persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f.exe

Resource

win10v2004-20231023-en

danabot redline 13 banker discovery infostealer persistence spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

13

C2

77.91.68.235:9486

Targets

- Target
  
  858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f
- Size
  
  3.9MB
- MD5
  
  cac3d966342e978c8604f5dbd3e4352a
- SHA1
  
  617e28d9c047dc4bd970bbb1915cc159abc8473e
- SHA256
  
  858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f
- SHA512
  
  d7eea99be0e9602e7dffb642ce9d3c7f1fbb04bf8fc9cd763cd5c829f41d743e3613b3ecd0e24244787b8d79391e6f6f397d33a41a5bab878a886bde47514eae
- SSDEEP
  
  98304:YCHL70XKljH3xzwmGss0VV0B7cOeE8li5o5i:LHL70XsjH3xUmq0VViIPE8l
Score

10^/10

danabot redline 13 banker discovery infostealer persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

danabotredline13bankerdiscoveryinfostealerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy