danabot | 9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0
Size

213KB
Sample

221218-bjdvhadb8t
MD5

e19e872d0ea3c395f5e207bda52da9e8
SHA1

402ab88f125ad2a34b5295d8e33e59e09621f139
SHA256

9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0
SHA512

04074d29322d85c8a70cd0fce4696055212b36c25b31f4a8362593376b4e144cbdc54764f9b2a3b03f8882a35225488acd14f15cc6f59da9a71d6759a940bd35
SSDEEP

3072:nibd0YGML5NShZwR50lci7CQKIW99Snh8/g3xoAduMG3ERWR3LV:ed07MLLSh7l7E6Gg3CnU0VB

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0.exe

Resource

win10v2004-20221111-en

danabot smokeloader backdoor banker discovery persistence trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
46074984462FB8A91EB57ACE680A2020
type
loader

Targets

- Target
  
  9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0
- Size
  
  213KB
- MD5
  
  e19e872d0ea3c395f5e207bda52da9e8
- SHA1
  
  402ab88f125ad2a34b5295d8e33e59e09621f139
- SHA256
  
  9c76302f9096c0f7f9474d495607ef306dc101b9cbbdd652d99c137d88426ac0
- SHA512
  
  04074d29322d85c8a70cd0fce4696055212b36c25b31f4a8362593376b4e144cbdc54764f9b2a3b03f8882a35225488acd14f15cc6f59da9a71d6759a940bd35
- SSDEEP
  
  3072:nibd0YGML5NShZwR50lci7CQKIW99Snh8/g3xoAduMG3ERWR3LV:ed07MLLSh7l7E6Gg3CnU0VB
Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

danabotsmokeloaderbackdoorbankerdiscoverypersistencetrojan

© 2018-2024

Terms | Privacy