Extracted

• • Target

    The-MALWARE-Repo

  • Size

    297KB

  • MD5

    d28287eff114ac63c2f2e2da5da5a56e

  • SHA1

    e5ac91a7954d28ae97d4d5eead00b840d7faa176

  • SHA256

    108c653754974b226c02fdd256ed598148bc073a150900af7881964a099fa5ce

  • SHA512

    9e3dd4993b072009458501559cb2fe64a4ccce18782db10ba6d5b3fae0d496b2bd8396551b942122704985e552825788404d2651cac994163b5e0f94860115c1

  • SSDEEP

    6144:wdo/SpOL/saqkPV9FxLtcsDSsmwI9nvZJT3CqbMrhryf65NRPaCieMjAkvCJv1Ve:Eo/SpOL/saqkPV9FxLtcsDSsmwI9nvZT

  Score

  10^/10

  danabotbankerdiscoverytrojanpersistencespywarestealer

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops file in Drivers directory

  • Manipulates Digital Signatures

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Modifies termsrv.dll

    Commonly used to allow simultaneous RDP sessions.

  behavioral1behavioral2