General

  • Target

    ccbbf4523eab317ec144a3959a346fc9b414b47ad0d594c384f7be50ffba49c3

  • Size

    215KB

  • Sample

    221217-1w9kdahg68

  • MD5

    9004b6a2345dc6a774f3de67a6729b10

  • SHA1

    2637a9a9f737de1a2353307769b93a22a59e0fc5

  • SHA256

    ccbbf4523eab317ec144a3959a346fc9b414b47ad0d594c384f7be50ffba49c3

  • SHA512

    d360230e5008723586d003cf60549d0dbef3152b20913b1281db5ec4a87aafcc0b5b6be15b592dc2fd5105b2a7e62787a2b4565afdcd499215779970739f71c3

  • SSDEEP

    3072:DIZ3cq4LgVZwR0RJpfLGrzKBqj5CEzGQK938/g3xoqNVxRAkFG3ERWR3Le:0Z3P4LgVjvZKKBqjQ6K9Mg3C0QXU0V6

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    66969BD52E200846D6BC8C33A6EA3B94

  • type

    loader

Targets

    • Target

      ccbbf4523eab317ec144a3959a346fc9b414b47ad0d594c384f7be50ffba49c3

    • Size

      215KB

    • MD5

      9004b6a2345dc6a774f3de67a6729b10

    • SHA1

      2637a9a9f737de1a2353307769b93a22a59e0fc5

    • SHA256

      ccbbf4523eab317ec144a3959a346fc9b414b47ad0d594c384f7be50ffba49c3

    • SHA512

      d360230e5008723586d003cf60549d0dbef3152b20913b1281db5ec4a87aafcc0b5b6be15b592dc2fd5105b2a7e62787a2b4565afdcd499215779970739f71c3

    • SSDEEP

      3072:DIZ3cq4LgVZwR0RJpfLGrzKBqj5CEzGQK938/g3xoqNVxRAkFG3ERWR3Le:0Z3P4LgVjvZKKBqjQ6K9Mg3C0QXU0V6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks