danabot | 186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77 | Triage

Sharing

General

Target

186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x
Size

4.3MB
Sample

241204-ypeqbatqcm
MD5

08c6a7bcd8945856dfcc5bf247049586
SHA1

ada4b5594a44eba87d3afc23f182f452ba0dc7c9
SHA256

186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77
SHA512

9089fa2655390bfe335a654743c718bc743a10ce042874c09e9093b6eab706c6a756a9b977c9f49874637f5ca99a112fc893dfcd9ab4582f9a5304a8a86de148
SSDEEP

98304:iwAdbxY2G3T5moaWIlyhe2UwB9W4WlTAXZRolhmwmxIXjuSA:IdFRINmoUyhd5BwvTAXZRolhmwmxIXj2

Score

10^/10

danabot banker collection discovery persistence phishing spyware stealer trojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

type
loader

Targets

- Target
  
  186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x
- Size
  
  4.3MB
- MD5
  
  08c6a7bcd8945856dfcc5bf247049586
- SHA1
  
  ada4b5594a44eba87d3afc23f182f452ba0dc7c9
- SHA256
  
  186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77
- SHA512
  
  9089fa2655390bfe335a654743c718bc743a10ce042874c09e9093b6eab706c6a756a9b977c9f49874637f5ca99a112fc893dfcd9ab4582f9a5304a8a86de148
- SSDEEP
  
  98304:iwAdbxY2G3T5moaWIlyhe2UwB9W4WlTAXZRolhmwmxIXjuSA:IdFRINmoUyhd5BwvTAXZRolhmwmxIXj2
Score

10^/10

discovery danabot banker collection persistence phishing spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

danabotbankercollectiondiscoverypersistencephishingspywarestealertrojan