Overview

overview

10

Static

static

d828745599...71.exe

windows7-x64

10

d828745599...71.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d8287455999f2aad069146c6a014ae9b7812eb391bb003d819c9dc683b5cf771

  • Size

    283KB

  • Sample

    221026-qev1jsfgfn

  • MD5

    7dc6a27f93470994c23ce9003c912675

  • SHA1

    4a544e1d3883d36f28e5a738eb9b0f12838d0871

  • SHA256

    d8287455999f2aad069146c6a014ae9b7812eb391bb003d819c9dc683b5cf771

  • SHA512

    fe2d91f04c09ff4686f365ea858c937fc378e80aee022ae5a78ec4f90778821a1a94ded7dffe302d0a9cbb94d4f6ece785cb3f5b4b98fb558747d6c47fa3f858

  • SSDEEP

    6144:zLgm4lPaVo3DRxnUm9Rb42ORM1FsYLbuEdInatp+VY/ivHS1j9V:zl4wVo3dBP9Rb42ORM1FpbuEdIOp+K+i

Score
10/10
danabotnymaimsmokeloadervidar937backdoorbankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443
Attributes
  • embedded_hash

    BBBB0DB8CB7E6D152424535822E445A7

  • type

    loader

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Extracted

Family

vidar

Version

55.2

Botnet

937

C2

https://t.me/slivetalks

https://c.im/@xinibin420
Attributes
  • profile_id

    937

Targets

    • Target

      d8287455999f2aad069146c6a014ae9b7812eb391bb003d819c9dc683b5cf771

    • Size

      283KB

    • MD5

      7dc6a27f93470994c23ce9003c912675

    • SHA1

      4a544e1d3883d36f28e5a738eb9b0f12838d0871

    • SHA256

      d8287455999f2aad069146c6a014ae9b7812eb391bb003d819c9dc683b5cf771

    • SHA512

      fe2d91f04c09ff4686f365ea858c937fc378e80aee022ae5a78ec4f90778821a1a94ded7dffe302d0a9cbb94d4f6ece785cb3f5b4b98fb558747d6c47fa3f858

    • SSDEEP

      6144:zLgm4lPaVo3DRxnUm9Rb42ORM1FsYLbuEdInatp+VY/ivHS1j9V:zl4wVo3dBP9Rb42ORM1FpbuEdIOp+K+i

    Score
    10/10
    smokeloaderbackdoortrojandanabotnymaimvidar937bankerdiscoveryspywarestealer

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Detects Smokeloader packer

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

      trojannymaim

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks