General

  • Target

    bb0c816a7ea9e563ac877399e1787c84fa098fb1892a27f0f354747fa9a149a2

  • Size

    215KB

  • Sample

    221217-zegycscd8v

  • MD5

    c16a51b1092877aa252ff8179b46c1a1

  • SHA1

    a29d46d533e5230c72645f9bacb90ff1656f12ed

  • SHA256

    bb0c816a7ea9e563ac877399e1787c84fa098fb1892a27f0f354747fa9a149a2

  • SHA512

    78e15bc89ed55c8d3ad67ee37b143b78255a7978900f70c1703c9b8a0dfeaa303ffdc0c6f7b3c1d443397159ebeba58dcf12e086d0b86a8f31783985cdd56385

  • SSDEEP

    3072:AG02SX0LNOZ8RcJs7io/3JGSwv3KC+9NH8/g3xoiR4L1G3ERWR3Le:Al2w0LNONJho/3JGlH/g3Cw4LEU0V6

Malware Config

Targets

    • Target

      bb0c816a7ea9e563ac877399e1787c84fa098fb1892a27f0f354747fa9a149a2

    • Size

      215KB

    • MD5

      c16a51b1092877aa252ff8179b46c1a1

    • SHA1

      a29d46d533e5230c72645f9bacb90ff1656f12ed

    • SHA256

      bb0c816a7ea9e563ac877399e1787c84fa098fb1892a27f0f354747fa9a149a2

    • SHA512

      78e15bc89ed55c8d3ad67ee37b143b78255a7978900f70c1703c9b8a0dfeaa303ffdc0c6f7b3c1d443397159ebeba58dcf12e086d0b86a8f31783985cdd56385

    • SSDEEP

      3072:AG02SX0LNOZ8RcJs7io/3JGSwv3KC+9NH8/g3xoiR4L1G3ERWR3Le:Al2w0LNONJho/3JGlH/g3Cw4LEU0V6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks