danabot | 554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004-x64

Sharing

General

Target

554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
Size

227KB
Sample

221221-lldbvsca49
MD5

ba49871be66ed67378d5713ceaa111ff
SHA1

f6a515b0f4d5bc1ff2ec837ec07ba55b197a25a7
SHA256

554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
SHA512

c648e9c19008fd2d891ba7b8dcd193aeb13248270c61827e32688feba6eacf25cbf64f9b0c60a1f6d47c5896e968f45e62e8c87fcec1371b351d62444d3d7af4
SSDEEP

3072:+iZk7XLUO3915sUasekKzJcQ2wKozVfdRN1L1TzJ9Ds6nhWzgKr/so:jkjLUO3da6KFy9QVVRXBTBWzz/

Score

10^/10

danabot smokeloader backdoor banker discovery persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe

Resource

win10v2004-20221111-en

danabot smokeloader backdoor banker discovery persistence spyware stealer trojan

windows10-2004-x64

31 signatures

150 seconds

Malware Config

Targets

- Target
  
  554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
- Size
  
  227KB
- MD5
  
  ba49871be66ed67378d5713ceaa111ff
- SHA1
  
  f6a515b0f4d5bc1ff2ec837ec07ba55b197a25a7
- SHA256
  
  554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
- SHA512
  
  c648e9c19008fd2d891ba7b8dcd193aeb13248270c61827e32688feba6eacf25cbf64f9b0c60a1f6d47c5896e968f45e62e8c87fcec1371b351d62444d3d7af4
- SSDEEP
  
  3072:+iZk7XLUO3915sUasekKzJcQ2wKozVfdRN1L1TzJ9Ds6nhWzgKr/so:jkjLUO3da6KFy9QVVRXBTBWzz/
Score

10^/10

danabot smokeloader backdoor banker discovery persistence spyware stealer trojan
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Detects Smokeloader packer
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

danabotsmokeloaderbackdoorbankerdiscoverypersistencespywarestealertrojan

© 2018-2024

Terms | Privacy