danabot | 47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc

General

Target

42c9365b1284d5e5e95be8c82e3eb480.exe
Size

271KB
MD5

42c9365b1284d5e5e95be8c82e3eb480
SHA1

af966c6db72acf8ccdab4d39f7f328043c3ad592
SHA256

47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc
SHA512

b5fd84c5fc5b2fa94227f9732af2b5ced856349f37a1a1175a3bcd4065a016bc5c129b8e52ade6ec8bfe2c7a11f5bd2a0af527cb6901320f7e2136b81022a660

Score

10^/10

danabot smokeloader 4 backdoor banker trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

danabot

Botnet

4

C2

192.119.110.4:443

192.236.194.72:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3777.exe.dll	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\3777.exe.dll	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\4DB0.exe.dll	DanabotLoader2021

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3777.exe4DB0.exe

pid process

4368 3777.exe
4344 4DB0.exe
Deletes itself 1 IoCs

Processes:

pid process

396
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3980 rundll32.exe
4524 rundll32.exe

pid	process
4368	3777.exe
4344	4DB0.exe

pid	process
396

pid	process
3980	rundll32.exe
4524	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42c9365b1284d5e5e95be8c82e3eb480.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

pid	process
3440	42c9365b1284d5e5e95be8c82e3eb480.exe
3440	42c9365b1284d5e5e95be8c82e3eb480.exe
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

396
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

42c9365b1284d5e5e95be8c82e3eb480.exe

pid process

3440 42c9365b1284d5e5e95be8c82e3eb480.exe

pid	process
396

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3777.exe4DB0.exe

description	pid	process	target process
PID 396 wrote to memory of 4368	396		3777.exe
PID 396 wrote to memory of 4368	396		3777.exe
PID 396 wrote to memory of 4368	396		3777.exe
PID 396 wrote to memory of 4344	396		4DB0.exe
PID 396 wrote to memory of 4344	396		4DB0.exe
PID 396 wrote to memory of 4344	396		4DB0.exe
PID 4368 wrote to memory of 3980	4368	3777.exe	rundll32.exe
PID 4368 wrote to memory of 3980	4368	3777.exe	rundll32.exe
PID 4368 wrote to memory of 3980	4368	3777.exe	rundll32.exe
PID 4344 wrote to memory of 4524	4344	4DB0.exe	rundll32.exe
PID 4344 wrote to memory of 4524	4344	4DB0.exe	rundll32.exe
PID 4344 wrote to memory of 4524	4344	4DB0.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe
"C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3440

C:\Users\Admin\AppData\Local\Temp\3777.exe
C:\Users\Admin\AppData\Local\Temp\3777.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3777.exe.dll,z C:\Users\Admin\AppData\Local\Temp\3777.exe
2⤵
- Loads dropped DLL
PID:3980

C:\Users\Admin\AppData\Local\Temp\4DB0.exe
C:\Users\Admin\AppData\Local\Temp\4DB0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dll,z C:\Users\Admin\AppData\Local\Temp\4DB0.exe
2⤵
- Loads dropped DLL
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3777.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\3777.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\3777.exe.dll
MD5
77114117c5084723a9a731b042520d7a

SHA1
b46be9611f81365bc88c096afd4f90ab377c1ab6

SHA256
9cc189ff5873f6836dad2de1dc92fa2b7251de4813cf27a947193c2c0a3f04ad

SHA512
0748a7f41cbb181fae96d38abf7655662313dec63a1578ce660ef0a923db3f620598918f4dc910c3e78dcbb8654d891edf0c6d8e3e652d13083fd3aca7d9c62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DB0.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DB0.exe
MD5
f8151b5d4c4e62166a8c2e914f54cbb7

SHA1
ee9da83f51b904db29d14847a013c4cff7ea6711

SHA256
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

SHA512
0e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dll
MD5
990d9475a4c1ce154a351e07928514f2

SHA1
b94a23d4170084f948a168e70d6b9f62745ec7c9

SHA256
ed08e1bad85fac0f1b9dc1aa4694d687a49489b7193818c7ec7fc6e0af3eda0d

SHA512
cc440f14314da96a88a9c6539da6ae4829b7506ae2e593b22a5a8739bd510ff9b67b823962f480268a63c7bbc774c65347a7051ab9001590073620c3b42649ba

Download Submit
\Users\Admin\AppData\Local\Temp\3777.exe.dll
MD5
77114117c5084723a9a731b042520d7a

SHA1
b46be9611f81365bc88c096afd4f90ab377c1ab6

SHA256
9cc189ff5873f6836dad2de1dc92fa2b7251de4813cf27a947193c2c0a3f04ad

SHA512
0748a7f41cbb181fae96d38abf7655662313dec63a1578ce660ef0a923db3f620598918f4dc910c3e78dcbb8654d891edf0c6d8e3e652d13083fd3aca7d9c62d

Download Submit
\Users\Admin\AppData\Local\Temp\4DB0.exe.dll
MD5
990d9475a4c1ce154a351e07928514f2

SHA1
b94a23d4170084f948a168e70d6b9f62745ec7c9

SHA256
ed08e1bad85fac0f1b9dc1aa4694d687a49489b7193818c7ec7fc6e0af3eda0d

SHA512
cc440f14314da96a88a9c6539da6ae4829b7506ae2e593b22a5a8739bd510ff9b67b823962f480268a63c7bbc774c65347a7051ab9001590073620c3b42649ba

Download Submit
memory/396-118-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/3440-115-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3440-117-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3440-116-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3980-129-0x0000000000000000-mapping.dmp

Download
memory/4344-125-0x0000000000000000-mapping.dmp

Download
memory/4344-128-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4368-119-0x0000000000000000-mapping.dmp

Download
memory/4368-122-0x00000000049C0000-0x0000000004AA2000-memory.dmp

Filesize
904KB

Download
memory/4368-124-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4368-123-0x0000000004AB0000-0x0000000004BAA000-memory.dmp

Filesize
1000KB

Download
memory/4524-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads