danabot | 2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1

Resubmissions

09-01-2022 14:33

220109-rwxq5sdhcr 10

09-01-2022 14:06

220109-rejg7aded7 10

09-01-2022 08:20

220109-j8fz6addd9 10

Analysis

max time kernel
151s
max time network
134s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-01-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59ddabdcb5b43bbc66bbec89123d2627.exe
Size

265KB
MD5

59ddabdcb5b43bbc66bbec89123d2627
SHA1

6c33dde51d6b45319ad99408c10f6ad8b1340e2f
SHA256

2d0bd38ea59864cdcd710759abea3f670449eb4505b54c8a8d22128691deefc1
SHA512

56463528dc37c141519535140a24d0ce02ca2227ef8c302494e422109e5d6b83a5d6ac5f2b698838e29661cd9dd986d9a2dc0f7c3c4f025f5283cebca052b8b3

Score

10^/10

danabot smokeloader 4 backdoor banker trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E8E5.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\E8E5.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\E8E5.exe.dll	DanabotLoader2021
behavioral2/memory/2636-133-0x00000000041A0000-0x00000000042F1000-memory.dmp	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\6BF.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6BF.exe.dll	DanabotLoader2021

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E8E5.exe6BF.exe

pid process

2276 E8E5.exe
1416 6BF.exe
Deletes itself 1 IoCs

Processes:

pid process

2072
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2636 rundll32.exe
2636 rundll32.exe
704 rundll32.exe

pid	process
2276	E8E5.exe
1416	6BF.exe

pid	process
2072

pid	process
2636	rundll32.exe
2636	rundll32.exe
704	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	59ddabdcb5b43bbc66bbec89123d2627.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exe

pid	process
3556	59ddabdcb5b43bbc66bbec89123d2627.exe
3556	59ddabdcb5b43bbc66bbec89123d2627.exe
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072
2072

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2072
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

59ddabdcb5b43bbc66bbec89123d2627.exe

pid process

3556 59ddabdcb5b43bbc66bbec89123d2627.exe

pid	process
2072

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

E8E5.exe6BF.exe

description	pid	process	target process
PID 2072 wrote to memory of 2276	2072		E8E5.exe
PID 2072 wrote to memory of 2276	2072		E8E5.exe
PID 2072 wrote to memory of 2276	2072		E8E5.exe
PID 2072 wrote to memory of 1416	2072		6BF.exe
PID 2072 wrote to memory of 1416	2072		6BF.exe
PID 2072 wrote to memory of 1416	2072		6BF.exe
PID 2276 wrote to memory of 2636	2276	E8E5.exe	rundll32.exe
PID 2276 wrote to memory of 2636	2276	E8E5.exe	rundll32.exe
PID 2276 wrote to memory of 2636	2276	E8E5.exe	rundll32.exe
PID 1416 wrote to memory of 704	1416	6BF.exe	rundll32.exe
PID 1416 wrote to memory of 704	1416	6BF.exe	rundll32.exe
PID 1416 wrote to memory of 704	1416	6BF.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\59ddabdcb5b43bbc66bbec89123d2627.exe
"C:\Users\Admin\AppData\Local\Temp\59ddabdcb5b43bbc66bbec89123d2627.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3556

C:\Users\Admin\AppData\Local\Temp\E8E5.exe
C:\Users\Admin\AppData\Local\Temp\E8E5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E8E5.exe.dll,z C:\Users\Admin\AppData\Local\Temp\E8E5.exe
2⤵
- Loads dropped DLL
PID:2636

C:\Users\Admin\AppData\Local\Temp\6BF.exe
C:\Users\Admin\AppData\Local\Temp\6BF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6BF.exe.dll,z C:\Users\Admin\AppData\Local\Temp\6BF.exe
2⤵
- Loads dropped DLL
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6BF.exe
MD5
f601ad405d65674d3fdd6d9625770487

SHA1
2d5a12ef12b560d3bb634fa37d78951169113949

SHA256
2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

SHA512
1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BF.exe
MD5
f601ad405d65674d3fdd6d9625770487

SHA1
2d5a12ef12b560d3bb634fa37d78951169113949

SHA256
2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

SHA512
1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BF.exe.dll
MD5
12cea97c5ccddf9b6f5b27f24de751ab

SHA1
3d5bbc18d79f3c6ac7f5ac3e7339c933d5ce1688

SHA256
4dbe786bf280ffd7d6f9c34eb4ce7f3f358520d7763454b2115dd7ce6ead4659

SHA512
36301621111b8678182d966fa89b51448f089d10758310ee2b11d04c9483c2a988de962f04ab345b82f45bbe0998b3a22df01f587cc71dc0fca475b72df5eda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8E5.exe
MD5
f601ad405d65674d3fdd6d9625770487

SHA1
2d5a12ef12b560d3bb634fa37d78951169113949

SHA256
2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

SHA512
1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8E5.exe
MD5
f601ad405d65674d3fdd6d9625770487

SHA1
2d5a12ef12b560d3bb634fa37d78951169113949

SHA256
2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

SHA512
1347e26b67ed12d3173196aaca8e9fcad5bb8f6ed17e0482c5b5e33ddbecb19b954d46fcea4ff9e07e7d116b2c3ba351a1ce3aae294e4ce9e176797115a8171f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8E5.exe.dll
MD5
474352d90b151dce6d9b324fb2b3a414

SHA1
5799bb2e66eead0200443590fc506bcb0c5de061

SHA256
dad6f665ddd690b95b91428f312d3f958380240249fac2ff4d936d4d5af1b456

SHA512
3503ee76dbeccac6339d9340610eb9ad23ff82f74bb56eb34e4892187a2609ae6f45056862ea5a816ef922d0bfd624f4133708dd2a1a27e968677ed8c0935979

Download Submit
\Users\Admin\AppData\Local\Temp\6BF.exe.dll
MD5
12cea97c5ccddf9b6f5b27f24de751ab

SHA1
3d5bbc18d79f3c6ac7f5ac3e7339c933d5ce1688

SHA256
4dbe786bf280ffd7d6f9c34eb4ce7f3f358520d7763454b2115dd7ce6ead4659

SHA512
36301621111b8678182d966fa89b51448f089d10758310ee2b11d04c9483c2a988de962f04ab345b82f45bbe0998b3a22df01f587cc71dc0fca475b72df5eda3

Download Submit
\Users\Admin\AppData\Local\Temp\E8E5.exe.dll
MD5
474352d90b151dce6d9b324fb2b3a414

SHA1
5799bb2e66eead0200443590fc506bcb0c5de061

SHA256
dad6f665ddd690b95b91428f312d3f958380240249fac2ff4d936d4d5af1b456

SHA512
3503ee76dbeccac6339d9340610eb9ad23ff82f74bb56eb34e4892187a2609ae6f45056862ea5a816ef922d0bfd624f4133708dd2a1a27e968677ed8c0935979

Download Submit
\Users\Admin\AppData\Local\Temp\E8E5.exe.dll
MD5
474352d90b151dce6d9b324fb2b3a414

SHA1
5799bb2e66eead0200443590fc506bcb0c5de061

SHA256
dad6f665ddd690b95b91428f312d3f958380240249fac2ff4d936d4d5af1b456

SHA512
3503ee76dbeccac6339d9340610eb9ad23ff82f74bb56eb34e4892187a2609ae6f45056862ea5a816ef922d0bfd624f4133708dd2a1a27e968677ed8c0935979

Download Submit
memory/704-134-0x0000000000000000-mapping.dmp

Download
memory/1416-125-0x0000000000000000-mapping.dmp

Download
memory/1416-128-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download
memory/2072-118-0x0000000000DF0000-0x0000000000E06000-memory.dmp

Filesize
88KB

Download
memory/2276-123-0x0000000004AA0000-0x0000000004B9C000-memory.dmp

Filesize
1008KB

Download
memory/2276-122-0x00000000049B0000-0x0000000004A94000-memory.dmp

Filesize
912KB

Download
memory/2276-124-0x0000000000400000-0x0000000002C54000-memory.dmp

Filesize
40.3MB

Download
memory/2276-119-0x0000000000000000-mapping.dmp

Download
memory/2636-129-0x0000000000000000-mapping.dmp

Download
memory/2636-133-0x00000000041A0000-0x00000000042F1000-memory.dmp

Filesize
1.3MB

Download
memory/3556-115-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3556-116-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3556-117-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download