danabot | cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383 | Triage

Submit
Reports

Overview

overview

Static

static

cb029abb2b...83.exe

windows7-x64

cb029abb2b...83.exe

windows10-2004-x64

Sharing

General

Target

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
Size

29KB
Sample

221220-qv4bvscg71
MD5

cb4573fa9acae5c637fced7e7cb8192c
SHA1

d2145f53a192e768b8bfbf9b633941790424ff7f
SHA256

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
SHA512

450a7dd225a0534c78073fc4fd519af2a82fc86f78ce1e9ce92a990cc1132f26546182ec6e26880cfa75ff405bf0a682b1f0ed9cdfc3a9579b598294f89cc3cc
SSDEEP

768:0BCzbIqVpKx3Vy2C0Jjfp/zX+Y9Kw5LG3OILRSwEqqmhAZPg5W:0+Iqqx3VyExprXl9Kw5LGBcPma0W

Score

10^/10

danabot smokeloader systembc backdoor banker discovery persistence trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

Resource

win7-20221111-en

smokeloader backdoor trojan

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe

Resource

win10v2004-20221111-en

danabot smokeloader systembc backdoor banker discovery persistence trojan

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

systembc

C2

109.205.214.18:443

Targets

- Target
  
  cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
- Size
  
  29KB
- MD5
  
  cb4573fa9acae5c637fced7e7cb8192c
- SHA1
  
  d2145f53a192e768b8bfbf9b633941790424ff7f
- SHA256
  
  cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
- SHA512
  
  450a7dd225a0534c78073fc4fd519af2a82fc86f78ce1e9ce92a990cc1132f26546182ec6e26880cfa75ff405bf0a682b1f0ed9cdfc3a9579b598294f89cc3cc
- SSDEEP
  
  768:0BCzbIqVpKx3Vy2C0Jjfp/zX+Y9Kw5LG3OILRSwEqqmhAZPg5W:0+Iqqx3VyExprXl9Kw5LGBcPma0W
Score

10^/10

smokeloader backdoor trojan danabot systembc banker discovery persistence
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

danabotsmokeloadersystembcbackdoorbankerdiscoverypersistencetrojan

© 2018-2024

Terms | Privacy