danabot | 2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1
Size

255KB
Sample

221025-x3cx7sdfdm
MD5

1118c9d04c38cd478a32fed3a4eb0a0c
SHA1

f77826496b896713b28a99f86550c0c1ecff1a76
SHA256

2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1
SHA512

02d7f5b1c9dd901337086510fe5306cf9112f3ef7c8da351945dd442fc21885cfc28d92ec1163a87f195f593606e5f6b44dc9d15a010ac6ff5ac25b3fb716e31
SSDEEP

3072:sPXV/3C++LvSG8aq8KFsjR2/ytn8qmXyJdVcQA2QAvI+IsgrwUY6hzUT:EE3LPpq8KF1TqvBGOE7rwUlzUT

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1.exe

Resource

win10-20220901-en

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

windows10-1703-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Targets

- Target
  
  2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1
- Size
  
  255KB
- MD5
  
  1118c9d04c38cd478a32fed3a4eb0a0c
- SHA1
  
  f77826496b896713b28a99f86550c0c1ecff1a76
- SHA256
  
  2e8e88f58fb4c7da24306fd380311303af8e61dae5211497d9a340e74b82d2a1
- SHA512
  
  02d7f5b1c9dd901337086510fe5306cf9112f3ef7c8da351945dd442fc21885cfc28d92ec1163a87f195f593606e5f6b44dc9d15a010ac6ff5ac25b3fb716e31
- SSDEEP
  
  3072:sPXV/3C++LvSG8aq8KFsjR2/ytn8qmXyJdVcQA2QAvI+IsgrwUY6hzUT:EE3LPpq8KF1TqvBGOE7rwUlzUT
Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotsmokeloadervidar937backdoorbankerdiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy