General

  • Target

    42c9365b1284d5e5e95be8c82e3eb480.exe

  • Size

    271KB

  • Sample

    220108-tagtxadbb3

  • MD5

    42c9365b1284d5e5e95be8c82e3eb480

  • SHA1

    af966c6db72acf8ccdab4d39f7f328043c3ad592

  • SHA256

    47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc

  • SHA512

    b5fd84c5fc5b2fa94227f9732af2b5ced856349f37a1a1175a3bcd4065a016bc5c129b8e52ade6ec8bfe2c7a11f5bd2a0af527cb6901320f7e2136b81022a660

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

192.236.194.72:443

Attributes
  • embedded_hash

    422236FD601D11EE82825A484D26DD6F

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Targets

    • Target

      42c9365b1284d5e5e95be8c82e3eb480.exe

    • Size

      271KB

    • MD5

      42c9365b1284d5e5e95be8c82e3eb480

    • SHA1

      af966c6db72acf8ccdab4d39f7f328043c3ad592

    • SHA256

      47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc

    • SHA512

      b5fd84c5fc5b2fa94227f9732af2b5ced856349f37a1a1175a3bcd4065a016bc5c129b8e52ade6ec8bfe2c7a11f5bd2a0af527cb6901320f7e2136b81022a660

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot Loader Component

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks