danabot | a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded
Size

200KB
Sample

221018-mkd3fafdf3
MD5

bdc2da55adc8e7ebf1dd52759e64043b
SHA1

b6fc52dbe086dad5c506a75af3b6766109b9f8d8
SHA256

a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded
SHA512

b300f53960987331747c38e687447720d2088edac7c5484290cc7f932bd1d960d388aa6feb2c5d4cc100b0142f2b16de052d9306694b0f6e157a589677d1cb9f
SSDEEP

3072:AXhZB1LW5EzW52+4Nup0GPU1kB+9EV0KfPGhqI5B:0/B1L5zR+4v1jA04Ne

Score

10^/10

danabot smokeloader backdoor banker spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded.exe

Resource

win10v2004-20220812-en

danabot smokeloader backdoor banker spyware stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Targets

- Target
  
  a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded
- Size
  
  200KB
- MD5
  
  bdc2da55adc8e7ebf1dd52759e64043b
- SHA1
  
  b6fc52dbe086dad5c506a75af3b6766109b9f8d8
- SHA256
  
  a3d28f731471099e48459be1b1be2b8c4ef17147fa1946ca49cc75815e49cded
- SHA512
  
  b300f53960987331747c38e687447720d2088edac7c5484290cc7f932bd1d960d388aa6feb2c5d4cc100b0142f2b16de052d9306694b0f6e157a589677d1cb9f
- SSDEEP
  
  3072:AXhZB1LW5EzW52+4Nup0GPU1kB+9EV0KfPGhqI5B:0/B1L5zR+4v1jA04Ne
Score

10^/10

danabot smokeloader backdoor banker spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

danabotsmokeloaderbackdoorbankerspywarestealertrojan

© 2018-2025

Terms | Privacy