Extracted

• • Target

    http://Youareanidiot.cc

  Score

  10^/10

  danabotbankerbotnetevasionpersistencetrojan

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1