Overview

overview

10

Static

static

10

747400b85e...4e.exe

windows7-x64

10

747400b85e...4e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    747400b85ea1a32f41016b22496ca24e.exe

  • Size

    258KB

  • Sample

    221024-sgqjyshdam

  • MD5

    747400b85ea1a32f41016b22496ca24e

  • SHA1

    9c4dce7638007955d9d259e7f11f3c1f237b1ce7

  • SHA256

    dc48e95839bcfd343c62e0a574a94e9640b8463e9c5c29bf04e7423135307994

  • SHA512

    aa97d2d29c97b17005e48ae540a74d127e568cbcaea514352dd5aa84c5c434aebc23ef4dd31bd890ceb617d49a60d4f15200a774ec23a211b68642759b333024

  • SSDEEP

    6144:k9b3LPLnIJ1GTXZQOz1nJjVgmxaOAxyc9:S3zcfG9pQm0xyY

Score
10/10
danabotneshtasmokeloadervidar937backdoorbankerdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

danabot

Attributes
  • embedded_hash

    569235DCA8F16ED8310BBACCB674F896

  • type

    loader

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    937

Targets

    • Target

      747400b85ea1a32f41016b22496ca24e.exe

    • Size

      258KB

    • MD5

      747400b85ea1a32f41016b22496ca24e

    • SHA1

      9c4dce7638007955d9d259e7f11f3c1f237b1ce7

    • SHA256

      dc48e95839bcfd343c62e0a574a94e9640b8463e9c5c29bf04e7423135307994

    • SHA512

      aa97d2d29c97b17005e48ae540a74d127e568cbcaea514352dd5aa84c5c434aebc23ef4dd31bd890ceb617d49a60d4f15200a774ec23a211b68642759b333024

    • SSDEEP

      6144:k9b3LPLnIJ1GTXZQOz1nJjVgmxaOAxyc9:S3zcfG9pQm0xyY

    Score
    10/10
    neshtasmokeloaderbackdoorpersistencespywarestealertrojandanabotvidar937bankerdiscovery

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Detect Neshta payload

    • Detects Smokeloader packer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks