General

  • Target

    88ddae9c0cc427a471e258cfd2a991a779a1d368681844eee4c878a4b29855cd

  • Size

    214KB

  • Sample

    221217-1hl7xshg27

  • MD5

    ff5f44efb56f722020deeb3680fa3129

  • SHA1

    2d6bba466c5cc507320e40006997c6cad19e5094

  • SHA256

    88ddae9c0cc427a471e258cfd2a991a779a1d368681844eee4c878a4b29855cd

  • SHA512

    cf24c319363c14ccb99c0c2ca3bde07cc687e8f4fd948742f103889d1aa2ea88b3d72ae344533f4f363a01185890c6ee46ec4111df76ce6a469de26353ed70af

  • SSDEEP

    3072:rOnyOn0WLymZ8Raxyvf4//vX4cgfQ+SHFSo3tJ68/g3xobiV1kG3ERWR3Le:ryl0WLymQtcgfoFXtpg3CbmvU0V6

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Targets

    • Target

      88ddae9c0cc427a471e258cfd2a991a779a1d368681844eee4c878a4b29855cd

    • Size

      214KB

    • MD5

      ff5f44efb56f722020deeb3680fa3129

    • SHA1

      2d6bba466c5cc507320e40006997c6cad19e5094

    • SHA256

      88ddae9c0cc427a471e258cfd2a991a779a1d368681844eee4c878a4b29855cd

    • SHA512

      cf24c319363c14ccb99c0c2ca3bde07cc687e8f4fd948742f103889d1aa2ea88b3d72ae344533f4f363a01185890c6ee46ec4111df76ce6a469de26353ed70af

    • SSDEEP

      3072:rOnyOn0WLymZ8Raxyvf4//vX4cgfQ+SHFSo3tJ68/g3xobiV1kG3ERWR3Le:ryl0WLymQtcgfoFXtpg3CbmvU0V6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks