General
-
Target
96c4d0ffad8aad309e2a4993fc9432bf9ce62cf269882ad5e5be4e3e996e37f2
-
Size
255KB
-
Sample
221025-x2e16sdfcp
-
MD5
19bf0516805ad138f21ffb64f9c52001
-
SHA1
14a29110811005b15df4323188c5870c08be7fca
-
SHA256
96c4d0ffad8aad309e2a4993fc9432bf9ce62cf269882ad5e5be4e3e996e37f2
-
SHA512
2441572e5d326264ca7cee13636f377aa4bf4ce29e212b204d6f05f090e1b81886289ad5a6203af028344adcbc3d43ce4e4a3d8f79d7cf288db24ee42d48fc95
-
SSDEEP
6144:qgseLtpD9YFlokBg48eijzqfERHNTMxT:q7eppD9YF848e2Ofq2xT
Malware Config
Extracted
danabot
172.86.120.215:443
213.227.155.103:443
103.187.26.147:443
172.86.120.138:443
-
embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
-
type
loader
Extracted
vidar
55.2
937
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
937
Targets
-
-
Target
96c4d0ffad8aad309e2a4993fc9432bf9ce62cf269882ad5e5be4e3e996e37f2
-
Size
255KB
-
MD5
19bf0516805ad138f21ffb64f9c52001
-
SHA1
14a29110811005b15df4323188c5870c08be7fca
-
SHA256
96c4d0ffad8aad309e2a4993fc9432bf9ce62cf269882ad5e5be4e3e996e37f2
-
SHA512
2441572e5d326264ca7cee13636f377aa4bf4ce29e212b204d6f05f090e1b81886289ad5a6203af028344adcbc3d43ce4e4a3d8f79d7cf288db24ee42d48fc95
-
SSDEEP
6144:qgseLtpD9YFlokBg48eijzqfERHNTMxT:q7eppD9YF848e2Ofq2xT
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-