danabot | 44663130dda69ac26c3e8425c7b7a55fa17287afee9e76698679e978c843a9cd | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

214KB
Sample

221217-x9hf9shc87
MD5

2d0c7c4ee53da3f8da010c55c53404fb
SHA1

da540524373b80cd1bc03bf94bfa8e513c2f3b1a
SHA256

44663130dda69ac26c3e8425c7b7a55fa17287afee9e76698679e978c843a9cd
SHA512

9b17d94596797a8a697bc1c32d71c7311d7d354b8ddaabc35182ca0ec6ea62bddd646ed2d2d8c36ebacd41a2cb12deb794e59fe7aaaed50b31edd577120f55dc
SSDEEP

3072:yiZCQ+nL0NZ8RXQZFDByc4e6j4x2RH8/g3xoRabKr0ODG3ERWR3Le:yQCjnL0NeQZFDs4x2R8g3CR6s0JU0V6

Score

10^/10

danabot smokeloader backdoor banker trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20221111-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20221111-en

danabot smokeloader backdoor banker trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

type
loader

Targets

- Target
  
  file.exe
- Size
  
  214KB
- MD5
  
  2d0c7c4ee53da3f8da010c55c53404fb
- SHA1
  
  da540524373b80cd1bc03bf94bfa8e513c2f3b1a
- SHA256
  
  44663130dda69ac26c3e8425c7b7a55fa17287afee9e76698679e978c843a9cd
- SHA512
  
  9b17d94596797a8a697bc1c32d71c7311d7d354b8ddaabc35182ca0ec6ea62bddd646ed2d2d8c36ebacd41a2cb12deb794e59fe7aaaed50b31edd577120f55dc
- SSDEEP
  
  3072:yiZCQ+nL0NZ8RXQZFDByc4e6j4x2RH8/g3xoRabKr0ODG3ERWR3Le:yQCjnL0NeQZFDs4x2R8g3CR6s0JU0V6
Score

10^/10

smokeloader backdoor trojan danabot banker
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

danabotsmokeloaderbackdoorbankertrojan

© 2018-2024

Terms | Privacy