General

  • Target

    2e50294022bae9ad9b8dbfc8d1b01b3a.bin

  • Size

    940KB

  • Sample

    240726-b7j2es1hre

  • MD5

    664004450550124320a55715d9096774

  • SHA1

    3651855f23442e9673d5cfca22887c8ccb64c39e

  • SHA256

    32771c477d6a15c713ed7af118ab6e120103d3e524c713a0ce1dac889866f889

  • SHA512

    d083d25b98d630cf2fe4fccb43ddb4e2b350f17693560d11555caed0dc51f14843a8c57c6b5addb67fe853e33d56cf6f87d27f3a3d7c24dd22cf4e86b8c1bd85

  • SSDEEP

    24576:MQynZyUJN7cvAPVrd1ebRbIDixnxQ0cfrWO/pAa797C2V:MrjJlcvAPV5wxn105/pbJVV

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.217.192:443

192.236.146.173:443

23.254.133.7:443

185.62.58.85:443

Attributes
  • embedded_hash

    3CCDCA270E94321B76E2E66C454CD541

  • type

    loader

Targets

    • Target

      876b5319199f8e1cf0e410d352af83ffa2aa9b84c1f4ca5976b89530702e4d76.exe

    • Size

      1.1MB

    • MD5

      2e50294022bae9ad9b8dbfc8d1b01b3a

    • SHA1

      e3a4505f86286b1512229df67420358a29d8f953

    • SHA256

      876b5319199f8e1cf0e410d352af83ffa2aa9b84c1f4ca5976b89530702e4d76

    • SHA512

      9441a1979a93f6b3b7dde697e11529b3e31ee14c370db1ecc3884393b78a1082453e2625758209bc066e0da622848d07d423719047c303b282e2f421b2863823

    • SSDEEP

      24576:bLgcPCgLy06q0eHwkLQFI7UWE8QUNaToFVGPfN0:bsrgeoYyREwNaToFVGPO

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks