General

  • Target

    d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593

  • Size

    200KB

  • Sample

    220924-f5f9zaafb2

  • MD5

    8103713139a4ffbccf111954d4934368

  • SHA1

    112b2d8f63b2b7bc1b719993af19ec2c951d041d

  • SHA256

    d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593

  • SHA512

    e71a77cc1b7812544471570659a4b218475b09d2e82f6db1dd23ee86a987b26a2ea791f355a0eb885eb9bc13d6ff97d44cb2f572decf7433349fee2c7b72bea3

  • SSDEEP

    3072:qw4nyEzLTffCXg85UNeHj/MLML2jWWc3T+eixgGZhRBvipo/Pkj4x:qIkLTCX2K/MQL26WcDSxHZo

Malware Config

Extracted

Family

danabot

C2

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes
  • embedded_hash

    6618C163D57D6441FCCA65D86C4D380D

  • type

    loader

Targets

    • Target

      d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593

    • Size

      200KB

    • MD5

      8103713139a4ffbccf111954d4934368

    • SHA1

      112b2d8f63b2b7bc1b719993af19ec2c951d041d

    • SHA256

      d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593

    • SHA512

      e71a77cc1b7812544471570659a4b218475b09d2e82f6db1dd23ee86a987b26a2ea791f355a0eb885eb9bc13d6ff97d44cb2f572decf7433349fee2c7b72bea3

    • SSDEEP

      3072:qw4nyEzLTffCXg85UNeHj/MLML2jWWc3T+eixgGZhRBvipo/Pkj4x:qIkLTCX2K/MQL26WcDSxHZo

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks