General

  • Target

    7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

  • Size

    145KB

  • Sample

    221006-bgwmjagae9

  • MD5

    9278572290796cb6a8f80297d82b7b90

  • SHA1

    0e8cf0306a07208d0d38c3e159a961c73b5096cb

  • SHA256

    7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

  • SHA512

    bdb9469eb59c56d99ed7a87f4c5443f535304b55deeb033f160c716776f1ebafdb17d129bb18e8ba14115f6a21f0f96657188acf13b9cd5d292dcf8444a9cd18

  • SSDEEP

    3072:YbJk1BhfVsi2c99mH0Y5blznQsBRgLLS/VU+a2Yu5O:4Wxsi2c9hcRQXLLS/VU+a25

Malware Config

Extracted

Family

danabot

Attributes
  • embedded_hash

    EAD30BF58E340E9E105B328F524565E0

  • type

    loader

Targets

    • Target

      7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

    • Size

      145KB

    • MD5

      9278572290796cb6a8f80297d82b7b90

    • SHA1

      0e8cf0306a07208d0d38c3e159a961c73b5096cb

    • SHA256

      7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

    • SHA512

      bdb9469eb59c56d99ed7a87f4c5443f535304b55deeb033f160c716776f1ebafdb17d129bb18e8ba14115f6a21f0f96657188acf13b9cd5d292dcf8444a9cd18

    • SSDEEP

      3072:YbJk1BhfVsi2c99mH0Y5blznQsBRgLLS/VU+a2Yu5O:4Wxsi2c9hcRQXLLS/VU+a25

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Tasks