Overview

overview

10

Static

static

1

URLScan

urlscan

http://pronhub.com

windows10-ltsc 2021-x64

Resubmissions

07-01-2025 08:22

250107-j9tyeavjgq 8

07-01-2025 07:27

250107-h9551azres 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://pronhub.com

  • Sample

    250107-h9551azres

Score
10/10
danabotbankerdiscoverymacrophishingtrojanxlm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://blockchainjoblist.com/wp-admin/014080/
exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/
exe.dropper

https://atnimanvilla.com/wp-content/073735/
exe.dropper

https://yeuquynhnhai.com/upload/41830/
exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      http://pronhub.com

    Score
    10/10
    danabotbankerdiscoverymacrophishingtrojanxlm

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks