danabot | 5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a | Triage

Submit
Reports

Overview

overview

Static

static

ChromeSetup.exe

windows7-x64

ChromeSetup.exe

windows10-2004-x64

Sharing

General

Target

ChromeSetup.exe
Size

260KB
Sample

221027-pkdg1scbfj
MD5

318048af42c5a515d00f888051759aee
SHA1

08f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA256

5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA512

6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
SSDEEP

3072:1XKqvYc10U0hP/6m1h45PssEZL6zXBPRga25dZRsX+Iw3mi03zbu/T0K/:xVH/2P/6m1astL6zXAnOcmi03vu0U

Score

10^/10

danabot smokeloader backdoor banker collection discovery spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ChromeSetup.exe

Resource

win7-20220812-en

danabot smokeloader backdoor banker trojan

windows7-x64

14 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ChromeSetup.exe

Resource

win10v2004-20220901-en

danabot smokeloader backdoor banker collection discovery spyware stealer trojan

windows10-2004-x64

25 signatures

1800 seconds

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Targets

- Target
  
  ChromeSetup.exe
- Size
  
  260KB
- MD5
  
  318048af42c5a515d00f888051759aee
- SHA1
  
  08f02dd5f433599e79b4af8492d764b6cc20ae1d
- SHA256
  
  5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
- SHA512
  
  6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
- SSDEEP
  
  3072:1XKqvYc10U0hP/6m1h45PssEZL6zXBPRga25dZRsX+Iw3mi03zbu/T0K/:xVH/2P/6m1astL6zXAnOcmi03vu0U
Score

10^/10

danabot smokeloader backdoor banker trojan collection discovery spyware stealer
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotsmokeloaderbackdoorbankertrojan

behavioral2

danabotsmokeloaderbackdoorbankercollectiondiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy