danabot | 88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1
Size

230KB
Sample

221025-e4cdysbeh5
MD5

67697a4abb3c1e9cbc298995feb271f6
SHA1

7391b50e30805bba9aa22581b6fac2a16d3fbd48
SHA256

88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1
SHA512

6a54153d0ac75ad1d3fa5d2ad002cc0a779a3d9e28c3a9aa32d9f482bd0e755fb3e05d051a5123fb8a622801772fe52fb65b29d9000bb9941c180e7df0e6c64a
SSDEEP

3072:RXs1GeLjvwZWY5tlzN6zvOR4DNS5Qzb2xxHDpEriYlu3ET8PRCl:15eL8ZWcgsQGHDplU4PRCl

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1.exe

Resource

win10-20220812-en

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

windows10-1703-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Targets

- Target
  
  88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1
- Size
  
  230KB
- MD5
  
  67697a4abb3c1e9cbc298995feb271f6
- SHA1
  
  7391b50e30805bba9aa22581b6fac2a16d3fbd48
- SHA256
  
  88758290d488d18df2d88bf750d3c4dd49538f240702f9225df933fea6b1a6f1
- SHA512
  
  6a54153d0ac75ad1d3fa5d2ad002cc0a779a3d9e28c3a9aa32d9f482bd0e755fb3e05d051a5123fb8a622801772fe52fb65b29d9000bb9941c180e7df0e6c64a
- SSDEEP
  
  3072:RXs1GeLjvwZWY5tlzN6zvOR4DNS5Qzb2xxHDpEriYlu3ET8PRCl:15eL8ZWcgsQGHDplU4PRCl
Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotsmokeloadervidar937backdoorbankerdiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy