danabot

General

Target

revosetup.exe
Size

6.6MB
Sample

240615-t1tw6a1clp
MD5

63150c4846bfbcf27fa70ccaa8a01943
SHA1

bfe32dcc00b041e0007a883af1588f354bb9f032
SHA256

a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24
SHA512

7c0c8065c83529ffe9cf092a7ffb19f59252015d643bded9cf5459e6e6a4c582962ab6e36b330275a79649fa6e8d3da01cb95352870a52fa159bb278b967cd90
SSDEEP

98304:MPyYn2kIIR7ABl27MwarecfhZzwStzDtAVl3gaSZmg4MPyDv0bSpkmmf6osFQaiS:q7Vty27MJzw6z8X4mgJSyNyos6ac4l

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Targets

- Target
  
  revosetup.exe
- Size
  
  6.6MB
- MD5
  
  63150c4846bfbcf27fa70ccaa8a01943
- SHA1
  
  bfe32dcc00b041e0007a883af1588f354bb9f032
- SHA256
  
  a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24
- SHA512
  
  7c0c8065c83529ffe9cf092a7ffb19f59252015d643bded9cf5459e6e6a4c582962ab6e36b330275a79649fa6e8d3da01cb95352870a52fa159bb278b967cd90
- SSDEEP
  
  98304:MPyYn2kIIR7ABl27MwarecfhZzwStzDtAVl3gaSZmg4MPyDv0bSpkmmf6osFQaiS:q7Vty27MJzw6z8X4mgJSyNyos6ac4l
Score

10^/10

danabot rms agilenet aspackv2 banker botnet discovery evasion execution rat trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2