General

  • Target

    file.exe

  • Size

    220KB

  • Sample

    221221-ffnyhsbf78

  • MD5

    fcfa03e0a403007b0c0f3237eb76c744

  • SHA1

    60682f3ee476fe546d0f4a107b19e6d39184f880

  • SHA256

    c1e243c1e46bca4b8472c39fa7f249513e3838ce0557ca66a41fe43d0b41e139

  • SHA512

    9e177d191ecb38f776970889790518703096766d8f76c53faaeff9a28e97695cf431a59629d7edb30ac2d3a4a63ab11d58e5531f2c20434a0d20b5ea9dae2785

  • SSDEEP

    3072:4bHa1HLVd115sR7/4/uKjr9ZOOIsXGp2vX1ZWV7b/mNwdo+DNHCDml:cHkHLVdu7/VKj5djv/+4wZxCa

Malware Config

Targets

    • Target

      file.exe

    • Size

      220KB

    • MD5

      fcfa03e0a403007b0c0f3237eb76c744

    • SHA1

      60682f3ee476fe546d0f4a107b19e6d39184f880

    • SHA256

      c1e243c1e46bca4b8472c39fa7f249513e3838ce0557ca66a41fe43d0b41e139

    • SHA512

      9e177d191ecb38f776970889790518703096766d8f76c53faaeff9a28e97695cf431a59629d7edb30ac2d3a4a63ab11d58e5531f2c20434a0d20b5ea9dae2785

    • SSDEEP

      3072:4bHa1HLVd115sR7/4/uKjr9ZOOIsXGp2vX1ZWV7b/mNwdo+DNHCDml:cHkHLVdu7/VKj5djv/+4wZxCa

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks