danabot

General

Target

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c
Size

255KB
Sample

221025-tbfm8sdbb7
MD5

276085b18f05cec3c45b2df874b0578c
SHA1

823345f5a8b63871ec46b82a521eb5393010b63c
SHA256

5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c
SHA512

4c29c31bd4dccf9d82c4a2c8df1922834f14dcd75fe76894895427174163236f2c627fc55a3a257b8773c9bdd06fead1816880e0bd0eb54e5cfe061084f2b702
SSDEEP

3072:iXVfWAPpxR+LZSiOBrRrPf82RW/2fR3oLF4pUk8e4QJZ7Nk3T1aYvDq77:iU+L+Lh8rRrPf8V+fyxiZ5oT16

Score

10^/10

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Targets

- Target
  
  5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c
- Size
  
  255KB
- MD5
  
  276085b18f05cec3c45b2df874b0578c
- SHA1
  
  823345f5a8b63871ec46b82a521eb5393010b63c
- SHA256
  
  5283b7a0a6fce0e25433c065d9e2ed01bef70d1fa62b6227c3a9375dab1d0b0c
- SHA512
  
  4c29c31bd4dccf9d82c4a2c8df1922834f14dcd75fe76894895427174163236f2c627fc55a3a257b8773c9bdd06fead1816880e0bd0eb54e5cfe061084f2b702
- SSDEEP
  
  3072:iXVfWAPpxR+LZSiOBrRrPf82RW/2fR3oLF4pUk8e4QJZ7Nk3T1aYvDq77:iU+L+Lh8rRrPf8V+fyxiZ5oT16
Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1