danabot | 704f569522892f986810fc81dda198c9e7dc543634229a5c58f8623c74de0bb0 | Triage

Submit
Reports

Overview

overview

Static

static

c31618dee7...fc.exe

windows7-x64

c31618dee7...fc.exe

windows10-2004-x64

Sharing

General

Target

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc
Size

141KB
Sample

221219-zbrcmabb8z
MD5

f86c1c946568de37415aa5143a5f3e3c
SHA1

b0acff246f9b3de7d9781e0484feed8912283e27
SHA256

704f569522892f986810fc81dda198c9e7dc543634229a5c58f8623c74de0bb0
SHA512

db8252e563a0c9e44edf8209400ae9eb6734ce4b31ac1017e1ef69cf41185cc7a7b7091f74e738bb9576f6ce403245d759f791daf21c6d86ff52ba5fbcc8c6a2
SSDEEP

3072:4CjjHg9L2BkKhrroEmOQWl3tABkXiUlnDbDbE2ALt5Ql5ma7D:Zg9St5ZfD3tAHUlD/g+Lm6D

Score

10^/10

danabot smokeloader backdoor banker persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

Resource

win7-20221111-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe

Resource

win10v2004-20221111-en

danabot smokeloader backdoor banker persistence trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc
- Size
  
  214KB
- MD5
  
  816287b83f2bcba44a103e227868ef1f
- SHA1
  
  4a57ff432e2f83bdbdb5c1d880728e02a47262bb
- SHA256
  
  c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc
- SHA512
  
  0235eaf331a51d8dccb1352769eb72545c36ead5ce5b988a279c795dc840cdc25a750b5b15c185df95fd4523bca45ab843a8f0c89baf4d2bad6ad3e0d5d062ea
- SSDEEP
  
  3072:IX4oLOH3aR6hPmyakx2fb+Siha+onfhe+aNRAtOba+oN2ZEzjcbImdzmuX:IIoLOHrhPmmx2T+SMinpex0RNjjcbXF
Score

10^/10

smokeloader backdoor trojan danabot banker persistence
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

danabotsmokeloaderbackdoorbankerpersistencetrojan

© 2018-2024

Terms | Privacy