danabot | 2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7
Size

230KB
Sample

221019-x2891sdhhk
MD5

b63164b2b5bad650747aebaae0a7ffcb
SHA1

d5511ec757f50be23024ab8c8f9f756bfe661b0d
SHA256

2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7
SHA512

6a4a3971f4f5244474a658dcd513a1f69b639bd8ad952ed1481a13548f667524430f0f043a862699eb6c10ef774fefd170ae76e1e4d12136dba7fb36eb5ade73
SSDEEP

3072:mA2Cj4CVppigS+dLc3vNHvWh5oxgYzM8JZBZ865TtLSYUzrZDuLbak:mA/M8VLc3FHvQ5XUd5Tt3UzrYLe

Score

10^/10

danabot smokeloader backdoor banker discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7.exe

Resource

win10v2004-20220812-en

danabot smokeloader backdoor banker discovery spyware stealer trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Targets

- Target
  
  2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7
- Size
  
  230KB
- MD5
  
  b63164b2b5bad650747aebaae0a7ffcb
- SHA1
  
  d5511ec757f50be23024ab8c8f9f756bfe661b0d
- SHA256
  
  2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7
- SHA512
  
  6a4a3971f4f5244474a658dcd513a1f69b639bd8ad952ed1481a13548f667524430f0f043a862699eb6c10ef774fefd170ae76e1e4d12136dba7fb36eb5ade73
- SSDEEP
  
  3072:mA2Cj4CVppigS+dLc3vNHvWh5oxgYzM8JZBZ865TtLSYUzrZDuLbak:mA/M8VLc3FHvQ5XUd5Tt3UzrYLe
Score

10^/10

danabot smokeloader backdoor banker discovery spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

danabotsmokeloaderbackdoorbankerdiscoveryspywarestealertrojan

© 2018-2025

Terms | Privacy