General
-
Target
9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7
-
Size
214KB
-
Sample
221217-xx8spahc39
-
MD5
0563da06ee50ba49db438972b21d7813
-
SHA1
f7be7fdf9e376ed8b246e3ebd4be2537075eac8c
-
SHA256
9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7
-
SHA512
66985e980cdbbdba5f798460a8a3c32e489aabbcfbb74f54bcbef003577eb53c06da39ccc3e7925dc7cae2559721375617a153ab365d55e39a8ca205297f6728
-
SSDEEP
3072:dfh/JULEP8RbdQoKfdes/jUsizN3aA82ms8/g3xoy+ewoODPmG3ERWR3Le:dhxULElfw4jwlaAJAg3CPeVaPnU0V6
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Targets
-
-
Target
9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7
-
Size
214KB
-
MD5
0563da06ee50ba49db438972b21d7813
-
SHA1
f7be7fdf9e376ed8b246e3ebd4be2537075eac8c
-
SHA256
9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7
-
SHA512
66985e980cdbbdba5f798460a8a3c32e489aabbcfbb74f54bcbef003577eb53c06da39ccc3e7925dc7cae2559721375617a153ab365d55e39a8ca205297f6728
-
SSDEEP
3072:dfh/JULEP8RbdQoKfdes/jUsizN3aA82ms8/g3xoy+ewoODPmG3ERWR3Le:dhxULElfw4jwlaAJAg3CPeVaPnU0V6
Score10/10-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-