General

  • Target

    db7151937c43b654aacf8dffa21911583207fdc44b0361951a80771bbe013e51

  • Size

    213KB

  • Sample

    221217-z9fnsahf83

  • MD5

    58169fd22c6ec1439ee19ead172c3899

  • SHA1

    ba3fb99e671c0b4a63711063ae2b937e9c7e508c

  • SHA256

    db7151937c43b654aacf8dffa21911583207fdc44b0361951a80771bbe013e51

  • SHA512

    21aa99a7051dfb0238c49a89d25e23c641d1a0ce4ba88ccce621597224e8c842c5a5b8926de0f49a8f5bbf0d5e66c8304b5e62b6981cdd29e3cb9fb48884fa8b

  • SSDEEP

    3072:jbbUC2BHL2TZZ8RzvuBkvrvbVnJ9NJsFkjRCbSJT8/g3xo4X1Q12uCAaG3ERWR36:j3fOHL2FIU2rtNJGSMS6g3Cz13U0V6

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Targets

    • Target

      db7151937c43b654aacf8dffa21911583207fdc44b0361951a80771bbe013e51

    • Size

      213KB

    • MD5

      58169fd22c6ec1439ee19ead172c3899

    • SHA1

      ba3fb99e671c0b4a63711063ae2b937e9c7e508c

    • SHA256

      db7151937c43b654aacf8dffa21911583207fdc44b0361951a80771bbe013e51

    • SHA512

      21aa99a7051dfb0238c49a89d25e23c641d1a0ce4ba88ccce621597224e8c842c5a5b8926de0f49a8f5bbf0d5e66c8304b5e62b6981cdd29e3cb9fb48884fa8b

    • SSDEEP

      3072:jbbUC2BHL2TZZ8RzvuBkvrvbVnJ9NJsFkjRCbSJT8/g3xo4X1Q12uCAaG3ERWR36:j3fOHL2FIU2rtNJGSMS6g3Cz13U0V6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks