General

  • Target

    5225d9f8fde5e11240a7035a6988b7ee3ffca419eea8ca473e845ba0502bad3b.exe

  • Size

    6.1MB

  • Sample

    240622-bkgb1szeqc

  • MD5

    337d48261da1a0b48edd2c66991d1ac2

  • SHA1

    b04bef931efdc0ff889d84461ad97dac48fee4fc

  • SHA256

    5225d9f8fde5e11240a7035a6988b7ee3ffca419eea8ca473e845ba0502bad3b

  • SHA512

    aeb55d66a63fc57c04644c8ff33fe640ebe4ed9245677b653c2319bd1d94de86e3623d742591301f0ba712614dd1ac42a6a238360c94b36f56e981d4821ed59a

  • SSDEEP

    196608:rKppFEfoHJbI9Q0mOOZJYi3SGilZfjadonLE:rK7FtbIfQD9MfGdonL

Malware Config

Extracted

Family

danabot

Attributes
  • type

    loader

Targets

    • Target

      5225d9f8fde5e11240a7035a6988b7ee3ffca419eea8ca473e845ba0502bad3b.exe

    • Size

      6.1MB

    • MD5

      337d48261da1a0b48edd2c66991d1ac2

    • SHA1

      b04bef931efdc0ff889d84461ad97dac48fee4fc

    • SHA256

      5225d9f8fde5e11240a7035a6988b7ee3ffca419eea8ca473e845ba0502bad3b

    • SHA512

      aeb55d66a63fc57c04644c8ff33fe640ebe4ed9245677b653c2319bd1d94de86e3623d742591301f0ba712614dd1ac42a6a238360c94b36f56e981d4821ed59a

    • SSDEEP

      196608:rKppFEfoHJbI9Q0mOOZJYi3SGilZfjadonLE:rK7FtbIfQD9MfGdonL

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • UPX dump on OEP (original entry point)

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks