General
-
Target
4DFBCCA374D4D98D950E6F37996332F2396B4516245DA.exe
-
Size
290KB
-
Sample
221025-b34j9sbcbk
-
MD5
968bcc33a73c59715c820197c164618b
-
SHA1
a83e500e008030cbd92d77c9447c62fbf318328f
-
SHA256
4dfbcca374d4d98d950e6f37996332f2396b4516245da8314374a4e43761db12
-
SHA512
1ba1e25d9ab25a6523ec89478e363530f80348bd86a0c39ebb7466bac6a2517c844fd9ad83c9676a19a299d3561e94120f53e189bbcee848c6c27f483a97fd93
-
SSDEEP
3072:CrDcpkAhJ/Gwiw9wQwPWxPMiJ06gelLnzrmIpR:gWU+tMi5DlzzrmI
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
embedded_hash
569235DCA8F16ED8310BBACCB674F896
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Targets
-
-
Target
4DFBCCA374D4D98D950E6F37996332F2396B4516245DA.exe
-
Size
290KB
-
MD5
968bcc33a73c59715c820197c164618b
-
SHA1
a83e500e008030cbd92d77c9447c62fbf318328f
-
SHA256
4dfbcca374d4d98d950e6f37996332f2396b4516245da8314374a4e43761db12
-
SHA512
1ba1e25d9ab25a6523ec89478e363530f80348bd86a0c39ebb7466bac6a2517c844fd9ad83c9676a19a299d3561e94120f53e189bbcee848c6c27f483a97fd93
-
SSDEEP
3072:CrDcpkAhJ/Gwiw9wQwPWxPMiJ06gelLnzrmIpR:gWU+tMi5DlzzrmI
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-