Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://www.bing.com...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://www.bing.com/ck/a?!&&p=f5692c10949b9607JmltdHM9MTcyOTI5NjAwMCZpZ3VpZD0xYmM5YWFiNy1jNDY5LTZmZTYtMmJkMy1iZTBkYzUzNzZlZDkmaW5zaWQ9NTUxOA&ptn=3&ver=2&hsh=3&fclid=1bc9aab7-c469-6fe6-2bd3-be0dc5376ed9&psq=malware+samples+github&u=a1aHR0cHM6Ly9naXRodWIuY29tL0RhMmRhbHVzL1RoZS1NQUxXQVJFLVJlcG8&ntb=1

  • Sample

    241020-hfpadswfkp

Score
10/10
danabotbankerbotnetdefense_evasiondiscoverymacromacro_on_actiontrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://blockchainjoblist.com/wp-admin/014080/
exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/
exe.dropper

https://atnimanvilla.com/wp-content/073735/
exe.dropper

https://yeuquynhnhai.com/upload/41830/
exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      https://www.bing.com/ck/a?!&&p=f5692c10949b9607JmltdHM9MTcyOTI5NjAwMCZpZ3VpZD0xYmM5YWFiNy1jNDY5LTZmZTYtMmJkMy1iZTBkYzUzNzZlZDkmaW5zaWQ9NTUxOA&ptn=3&ver=2&hsh=3&fclid=1bc9aab7-c469-6fe6-2bd3-be0dc5376ed9&psq=malware+samples+github&u=a1aHR0cHM6Ly9naXRodWIuY29tL0RhMmRhbHVzL1RoZS1NQUxXQVJFLVJlcG8&ntb=1

    Score
    10/10
    danabotbankerbotnetdefense_evasiondiscoverymacromacro_on_actiontrojanxlm

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks