danabot

General

Target

cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6
Size

141KB
Sample

221219-gqmzmshd3w
MD5

50cd109c45578dc90c4c58c8320d18fe
SHA1

f72cfed0d748a66691e54d631f33564e95012cba
SHA256

6fb567b54bada67b584da1ba8a8ff06df7f36432c1aca95b2e070bca67483410
SHA512

56b75a9089a8dd33a6be14a8b93478f7b3213a16ce6062e040842095e0c98c7d4ea13f4191dd91f554e8b17722388267a1628a1c4ade49f55615a387791d6485
SSDEEP

3072:6Mw+yRsZagmOtKb5a/LxgcUeh0Pk5y3PdAuQSC1ixK:bfSYk5Ydg80PuUPKYK

Score

10^/10

Malware Config

Targets

- Target
  
  cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6
- Size
  
  214KB
- MD5
  
  251a41fc5e568b24574e7a0649679240
- SHA1
  
  5f0ce9ee0c94d5e0d0c64ac435f4a1f6241ed2a1
- SHA256
  
  cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6
- SHA512
  
  60c8feca298910e7606a3b3b4364423f5585f9a4b8f454dab92a23b06d2118d6eef34cbafbb14b2fa3e08f8c92f8ff7cb43f8f60b320e7bc6212ae2aef66f89a
- SSDEEP
  
  6144:Q9MLzWvtOIx+kkS169CKxPgnYypx+hH0MjlVklPH:Q9MvWv8IEkFwfPgvXuJlU
Score

10^/10

smokeloader backdoor trojan danabot banker discovery
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Detects Smokeloader packer

SmokeLoader

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2