danabot | 96e66b4ae99b64723c465071112d406e2d9311b784b0e51dbe4af769bd7ea59e

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-01-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dae93d780db_Sun139.exe
Size

293KB
MD5

c817d8a9ea3ed03f247e2f0a000a675a
SHA1

4194929b5a02524e1e24179014fa13e95a93ee1a
SHA256

ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439
SHA512

08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Score

10^/10

danabot smokeloader 4 backdoor banker trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AB9B.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll	DanabotLoader2021
behavioral1/memory/1380-82-0x0000000000940000-0x0000000000A8E000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll	DanabotLoader2021

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

AB9B.exeuutfcrwD6B1.exe

pid process

1092 AB9B.exe
592 uutfcrw
744 D6B1.exe
Deletes itself 1 IoCs

Processes:

pid process

1208
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1380 rundll32.exe
1380 rundll32.exe
1380 rundll32.exe
1380 rundll32.exe

pid	process
1092	AB9B.exe
592	uutfcrw
744	D6B1.exe

pid	process
1208

pid	process
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe
1380	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uutfcrw61dae93d780db_Sun139.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uutfcrw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uutfcrw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uutfcrw

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61dae93d780db_Sun139.exe

pid	process
1588	61dae93d780db_Sun139.exe
1588	61dae93d780db_Sun139.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

61dae93d780db_Sun139.exeuutfcrw

pid process

1588 61dae93d780db_Sun139.exe
592 uutfcrw
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1208
1208
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1208
1208

pid	process
1208
1208

pid	process
1208
1208

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

taskeng.exeAB9B.exe

description	pid	process	target process
PID 1208 wrote to memory of 1092	1208		AB9B.exe
PID 1208 wrote to memory of 1092	1208		AB9B.exe
PID 1208 wrote to memory of 1092	1208		AB9B.exe
PID 1208 wrote to memory of 1092	1208		AB9B.exe
PID 1528 wrote to memory of 592	1528	taskeng.exe	uutfcrw
PID 1528 wrote to memory of 592	1528	taskeng.exe	uutfcrw
PID 1528 wrote to memory of 592	1528	taskeng.exe	uutfcrw
PID 1528 wrote to memory of 592	1528	taskeng.exe	uutfcrw
PID 1208 wrote to memory of 744	1208		D6B1.exe
PID 1208 wrote to memory of 744	1208		D6B1.exe
PID 1208 wrote to memory of 744	1208		D6B1.exe
PID 1208 wrote to memory of 744	1208		D6B1.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe
PID 1092 wrote to memory of 1380	1092	AB9B.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe
"C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1588

C:\Users\Admin\AppData\Local\Temp\AB9B.exe
C:\Users\Admin\AppData\Local\Temp\AB9B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB9B.exe.dll,z C:\Users\Admin\AppData\Local\Temp\AB9B.exe
2⤵
- Loads dropped DLL
PID:1380

C:\Windows\system32\taskeng.exe
taskeng.exe {62CB9813-5303-46B8-917D-F766E83F140F} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\uutfcrw
C:\Users\Admin\AppData\Roaming\uutfcrw
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:592

C:\Users\Admin\AppData\Local\Temp\D6B1.exe
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
1⤵
- Executes dropped EXE
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB9B.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB9B.exe.dll
MD5
92f938645c119b58ff99e2211c8fb532

SHA1
37834ac4c83eb21fda06f7e94bd0913c02ba3d3e

SHA256
b2c8059bb7cba32f2acae53c3e626bcea56918db9e391eddab96c6a089c9ced0

SHA512
117c972ead27dce4e7ac2f6336fbe1fff2a6a3afbe208109109af8b26797634ac9688d69063be3d28d1f16a6851293671c8c63b62d56d7310b5e67914bbd3046

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B1.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Roaming\uutfcrw
MD5
c817d8a9ea3ed03f247e2f0a000a675a

SHA1
4194929b5a02524e1e24179014fa13e95a93ee1a

SHA256
ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439

SHA512
08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Download Submit
C:\Users\Admin\AppData\Roaming\uutfcrw
MD5
c817d8a9ea3ed03f247e2f0a000a675a

SHA1
4194929b5a02524e1e24179014fa13e95a93ee1a

SHA256
ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439

SHA512
08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Download Submit
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll
MD5
92f938645c119b58ff99e2211c8fb532

SHA1
37834ac4c83eb21fda06f7e94bd0913c02ba3d3e

SHA256
b2c8059bb7cba32f2acae53c3e626bcea56918db9e391eddab96c6a089c9ced0

SHA512
117c972ead27dce4e7ac2f6336fbe1fff2a6a3afbe208109109af8b26797634ac9688d69063be3d28d1f16a6851293671c8c63b62d56d7310b5e67914bbd3046

Download Submit
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll
MD5
92f938645c119b58ff99e2211c8fb532

SHA1
37834ac4c83eb21fda06f7e94bd0913c02ba3d3e

SHA256
b2c8059bb7cba32f2acae53c3e626bcea56918db9e391eddab96c6a089c9ced0

SHA512
117c972ead27dce4e7ac2f6336fbe1fff2a6a3afbe208109109af8b26797634ac9688d69063be3d28d1f16a6851293671c8c63b62d56d7310b5e67914bbd3046

Download Submit
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll
MD5
92f938645c119b58ff99e2211c8fb532

SHA1
37834ac4c83eb21fda06f7e94bd0913c02ba3d3e

SHA256
b2c8059bb7cba32f2acae53c3e626bcea56918db9e391eddab96c6a089c9ced0

SHA512
117c972ead27dce4e7ac2f6336fbe1fff2a6a3afbe208109109af8b26797634ac9688d69063be3d28d1f16a6851293671c8c63b62d56d7310b5e67914bbd3046

Download Submit
\Users\Admin\AppData\Local\Temp\AB9B.exe.dll
MD5
92f938645c119b58ff99e2211c8fb532

SHA1
37834ac4c83eb21fda06f7e94bd0913c02ba3d3e

SHA256
b2c8059bb7cba32f2acae53c3e626bcea56918db9e391eddab96c6a089c9ced0

SHA512
117c972ead27dce4e7ac2f6336fbe1fff2a6a3afbe208109109af8b26797634ac9688d69063be3d28d1f16a6851293671c8c63b62d56d7310b5e67914bbd3046

Download Submit
memory/592-62-0x0000000000000000-mapping.dmp

Download
memory/592-73-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/744-71-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/744-64-0x0000000000000000-mapping.dmp

Download
memory/1092-67-0x00000000046D0000-0x00000000047CA000-memory.dmp

Filesize
1000KB

Download
memory/1092-69-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/1092-66-0x0000000004580000-0x0000000004663000-memory.dmp

Filesize
908KB

Download
memory/1092-59-0x0000000000000000-mapping.dmp

Download
memory/1208-74-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

Filesize
88KB

Download
memory/1208-58-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/1380-75-0x0000000000000000-mapping.dmp

Download
memory/1380-82-0x0000000000940000-0x0000000000A8E000-memory.dmp

Filesize
1.3MB

Download
memory/1588-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1588-57-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/1588-56-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1588-54-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download