Overview

overview

10

Static

static

1

URLScan

urlscan

https://megascratchr...

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111

  • Sample

    250125-sxsn9azqej

Score
10/10
danabotbankerdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://blockchainjoblist.com/wp-admin/014080/
exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/
exe.dropper

https://atnimanvilla.com/wp-content/073735/
exe.dropper

https://yeuquynhnhai.com/upload/41830/
exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111

    Score
    10/10
    danabotbankerdiscoveryexecutionpersistencetrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Probable phishing domain

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks