General

  • Target

    file.exe

  • Size

    214KB

  • Sample

    221218-j8fdmabb43

  • MD5

    3c1a4982815bb6549cd30e514e271fd6

  • SHA1

    de2809b05f50c3fa5bebaaa2bee9712724ace615

  • SHA256

    8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b

  • SHA512

    49e05c67daa6cd295d66058d6422925876689c8d1876ec267d06fe1c0af33b485382198c7f65c04ff0d35c35f404ca97a0ff7dd49b6de57e70877c41a447ddf1

  • SSDEEP

    3072:AqMK6lL0BwRYyxiV/lZ39cB9JjN/IHYzKNwz8/g3xod4ROaBG3ERWR3LV:NMtlL0byGZ39UJqH0Qg3Cd4oagU0VB

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Targets

    • Target

      file.exe

    • Size

      214KB

    • MD5

      3c1a4982815bb6549cd30e514e271fd6

    • SHA1

      de2809b05f50c3fa5bebaaa2bee9712724ace615

    • SHA256

      8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b

    • SHA512

      49e05c67daa6cd295d66058d6422925876689c8d1876ec267d06fe1c0af33b485382198c7f65c04ff0d35c35f404ca97a0ff7dd49b6de57e70877c41a447ddf1

    • SSDEEP

      3072:AqMK6lL0BwRYyxiV/lZ39cB9JjN/IHYzKNwz8/g3xod4ROaBG3ERWR3LV:NMtlL0byGZ39UJqH0Qg3Cd4oagU0VB

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks