General

  • Size

    170KB

  • Sample

    220923-hfd5eshchl

  • MD5

    1694a1aaab237984a204b338060bde49

  • SHA1

    0b7e55eda5e452041b792a61645602122b5437e7

  • SHA256

    16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

  • SHA512

    f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab

Malware Config

Extracted

Family

danabot

Attributes
embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Targets

    • Target

      16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

    • Size

      170KB

    • MD5

      1694a1aaab237984a204b338060bde49

    • SHA1

      0b7e55eda5e452041b792a61645602122b5437e7

    • SHA256

      16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

    • SHA512

      f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation