Overview

overview

10

Static

static

1

OIP.jpg

windows7-x64

OIP.jpg

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OIP.jfif

  • Size

    10KB

  • Sample

    241118-vpylms1grq

  • MD5

    b93d7afe4b92832b106532271746ee11

  • SHA1

    98b7eb52a84a31338af5789acbaa2ec6aa103d37

  • SHA256

    10ae7bc76a6d12d1a278156b9e949850262c2fd516e54a55a1e5c2264f2bc835

  • SHA512

    f6477f5e45ca5d1738e719809f5edb65bf82e54e1d6aa6a0cebf1054875c5d6f1a13dbf4f29e34169f65fe6e132c28e44a74fbdaf4a05793f4f55e8e086b22bf

  • SSDEEP

    192:NTy1njwHoxuxq+H+yXD7CE5r4h3laN+bTONzVKG4FO2i4GwHk9ww7c1iSGO4:NgmU+H+yXD7CS4h1aN+POeG4g2iHGc7X

Score
10/10
danabotbankerbotnetdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwaretrojan

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      OIP.jfif

    • Size

      10KB

    • MD5

      b93d7afe4b92832b106532271746ee11

    • SHA1

      98b7eb52a84a31338af5789acbaa2ec6aa103d37

    • SHA256

      10ae7bc76a6d12d1a278156b9e949850262c2fd516e54a55a1e5c2264f2bc835

    • SHA512

      f6477f5e45ca5d1738e719809f5edb65bf82e54e1d6aa6a0cebf1054875c5d6f1a13dbf4f29e34169f65fe6e132c28e44a74fbdaf4a05793f4f55e8e086b22bf

    • SSDEEP

      192:NTy1njwHoxuxq+H+yXD7CE5r4h3laN+bTONzVKG4FO2i4GwHk9ww7c1iSGO4:NgmU+H+yXD7CS4h1aN+POeG4g2iHGc7X

    Score
    10/10
    discoveryexecutiondanabotbankerbotnetdefense_evasionevasionimpactpersistenceprivilege_escalationransomwaretrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

2
T1546

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

6
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Tasks