General

  • Target

    16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

  • Size

    170KB

  • Sample

    220923-hfd5eshchl

  • MD5

    1694a1aaab237984a204b338060bde49

  • SHA1

    0b7e55eda5e452041b792a61645602122b5437e7

  • SHA256

    16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

  • SHA512

    f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab

  • SSDEEP

    3072:yJBL8sV5z53hjNhf0F2e081eA/IyGiNBp7uJ/PkW4n:GLN7thjzfw2pvA/I05i

Malware Config

Extracted

Family

danabot

Attributes
  • embedded_hash

    6618C163D57D6441FCCA65D86C4D380D

  • type

    loader

Targets

    • Target

      16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

    • Size

      170KB

    • MD5

      1694a1aaab237984a204b338060bde49

    • SHA1

      0b7e55eda5e452041b792a61645602122b5437e7

    • SHA256

      16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

    • SHA512

      f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab

    • SSDEEP

      3072:yJBL8sV5z53hjNhf0F2e081eA/IyGiNBp7uJ/PkW4n:GLN7thjzfw2pvA/I05i

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks