General

  • Target

    0eced09fa8b454fcef861ad64a4cb3aef5eda9fcfece935bec301597eb15da56

  • Size

    213KB

  • Sample

    221218-pftnfaef9z

  • MD5

    a08d30244d18e852cdd593e479daefd6

  • SHA1

    fc9fdda99c9da90e1115d4eed9ae4671a18821b3

  • SHA256

    0eced09fa8b454fcef861ad64a4cb3aef5eda9fcfece935bec301597eb15da56

  • SHA512

    296e301f502a7a6896dbd755e0eb39606ec49574caaee80b62f1c2a20a883a708bec22a40daa31b3dd7be65bcde5c252bc00d06861dc3f181ca776f3e7b50f7f

  • SSDEEP

    3072:8/n8S3XILLOR+NVYp8mR+7Zr5iWGLS+r3x2g3ubqyA7HOil3lk025PH:Kn88ILLbmpn+dlGLDX+wjlVklPH

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Targets

    • Target

      0eced09fa8b454fcef861ad64a4cb3aef5eda9fcfece935bec301597eb15da56

    • Size

      213KB

    • MD5

      a08d30244d18e852cdd593e479daefd6

    • SHA1

      fc9fdda99c9da90e1115d4eed9ae4671a18821b3

    • SHA256

      0eced09fa8b454fcef861ad64a4cb3aef5eda9fcfece935bec301597eb15da56

    • SHA512

      296e301f502a7a6896dbd755e0eb39606ec49574caaee80b62f1c2a20a883a708bec22a40daa31b3dd7be65bcde5c252bc00d06861dc3f181ca776f3e7b50f7f

    • SSDEEP

      3072:8/n8S3XILLOR+NVYp8mR+7Zr5iWGLS+r3x2g3ubqyA7HOil3lk025PH:Kn88ILLbmpn+dlGLDX+wjlVklPH

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks