General

  • Target

    4116fcfcfe5df39c8356a59782606b1f19ab693ce6ff1e363f8606166fcf58fb.exe

  • Size

    1.1MB

  • Sample

    240725-c3k9cswgje

  • MD5

    26d32ba746528921415f4299188d0451

  • SHA1

    0635b7b33a6f79e84dfe8fe1f7f4152d20c533c7

  • SHA256

    4116fcfcfe5df39c8356a59782606b1f19ab693ce6ff1e363f8606166fcf58fb

  • SHA512

    d7186313bf093a11f0e314aa225a7c36ad9f7ad1b00723103f6851c832829cf8a4abc2cb6983c646b34e38c2d7a16f3217a0efe0065d4942f4fd0ac2172d35e4

  • SSDEEP

    24576:121pHZkUu40eoX4zuROs5obLOfkAnMNMo+C0OW/WS7H1S:mHZzu40ecUuFobafkaMNMo+plj7k

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.217.192:443

192.236.146.173:443

23.254.133.7:443

185.62.58.85:443

Attributes
  • embedded_hash

    3CCDCA270E94321B76E2E66C454CD541

  • type

    loader

Targets

    • Target

      4116fcfcfe5df39c8356a59782606b1f19ab693ce6ff1e363f8606166fcf58fb.exe

    • Size

      1.1MB

    • MD5

      26d32ba746528921415f4299188d0451

    • SHA1

      0635b7b33a6f79e84dfe8fe1f7f4152d20c533c7

    • SHA256

      4116fcfcfe5df39c8356a59782606b1f19ab693ce6ff1e363f8606166fcf58fb

    • SHA512

      d7186313bf093a11f0e314aa225a7c36ad9f7ad1b00723103f6851c832829cf8a4abc2cb6983c646b34e38c2d7a16f3217a0efe0065d4942f4fd0ac2172d35e4

    • SSDEEP

      24576:121pHZkUu40eoX4zuROs5obLOfkAnMNMo+C0OW/WS7H1S:mHZzu40ecUuFobafkaMNMo+plj7k

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks