Overview

overview

10

Static

static

3

817e14be1b...18.exe

windows7-x64

10

817e14be1b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    817e14be1b3a0979390a8c3cc7c4f9d1_JaffaCakes118

  • Size

    4.0MB

  • Sample

    240801-wqjpjswhkc

  • MD5

    817e14be1b3a0979390a8c3cc7c4f9d1

  • SHA1

    ce294e099cefdcfb41ef8463a52be5f0dcd0e992

  • SHA256

    697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783

  • SHA512

    1fc1c1917b583d37ce57903c71a8b987bc3333d0cc309e933dde2f7f816ce5b8e42dd7c883eefd2cbd198952979fb38052cdb1e0756ae023263c4b85db898942

  • SSDEEP

    98304:xiFrwPbHPPquDjTdNwoTPI//JSGZoTw899Y72en:x5bnqunT7woqJpyTw899iH

Score
10/10
danabot3bankercollectioncredential_accessdiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

3

C2

192.236.192.241:443

134.119.186.198:443

104.168.156.222:443

192.236.192.238:443
Attributes
  • embedded_hash

    82C66843DE542BC5CB88F713DE39B52B

  • type

    main

rsa_pubkey.plain
rsa_pubkey.plain

Targets

    • Target

      817e14be1b3a0979390a8c3cc7c4f9d1_JaffaCakes118

    • Size

      4.0MB

    • MD5

      817e14be1b3a0979390a8c3cc7c4f9d1

    • SHA1

      ce294e099cefdcfb41ef8463a52be5f0dcd0e992

    • SHA256

      697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783

    • SHA512

      1fc1c1917b583d37ce57903c71a8b987bc3333d0cc309e933dde2f7f816ce5b8e42dd7c883eefd2cbd198952979fb38052cdb1e0756ae023263c4b85db898942

    • SSDEEP

      98304:xiFrwPbHPPquDjTdNwoTPI//JSGZoTw899Y72en:x5bnqunT7woqJpyTw899iH

    Score
    10/10
    danabot3bankercollectioncredential_accessdiscoveryexecutionspywarestealertrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks