General

  • Target

    d3724cfecd9a047a6c14bb98539dcad6b2bdc1bce1ce78fb0e87ceca4bcf162a

  • Size

    261KB

  • Sample

    221027-sl48xacfcm

  • MD5

    520d3825e03e2376fa5fcea29ef5649d

  • SHA1

    337ca41b2cc1ebbf4c29e241a7cf89975bdbf343

  • SHA256

    d3724cfecd9a047a6c14bb98539dcad6b2bdc1bce1ce78fb0e87ceca4bcf162a

  • SHA512

    a6663e5c2bf81c5135cef5e7c62eda32de35f924d716d5e29635f7d44ebf6ccba2e75a8675823f0e28caa012c643a9f437a7030a044f2f8cc4697cc4eebb2929

  • SSDEEP

    3072:aXajWcuBO030RoCJbl45F7UUmez4+qwWylMOBdQnPyH9I3wOYH0KC:6nlB/+oCJbqm44+1WJOBsPMI3w7H01

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • embedded_hash

    BBBB0DB8CB7E6D152424535822E445A7

  • type

    loader

Targets

    • Target

      d3724cfecd9a047a6c14bb98539dcad6b2bdc1bce1ce78fb0e87ceca4bcf162a

    • Size

      261KB

    • MD5

      520d3825e03e2376fa5fcea29ef5649d

    • SHA1

      337ca41b2cc1ebbf4c29e241a7cf89975bdbf343

    • SHA256

      d3724cfecd9a047a6c14bb98539dcad6b2bdc1bce1ce78fb0e87ceca4bcf162a

    • SHA512

      a6663e5c2bf81c5135cef5e7c62eda32de35f924d716d5e29635f7d44ebf6ccba2e75a8675823f0e28caa012c643a9f437a7030a044f2f8cc4697cc4eebb2929

    • SSDEEP

      3072:aXajWcuBO030RoCJbl45F7UUmez4+qwWylMOBdQnPyH9I3wOYH0KC:6nlB/+oCJbqm44+1WJOBsPMI3w7H01

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Tasks