danabot | 96e66b4ae99b64723c465071112d406e2d9311b784b0e51dbe4af769bd7ea59e

Analysis

max time kernel
151s
max time network
143s
platform
windows10_x64
resource
win10-en-20211208
submitted
09-01-2022 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61dae93d780db_Sun139.exe
Size

293KB
MD5

c817d8a9ea3ed03f247e2f0a000a675a
SHA1

4194929b5a02524e1e24179014fa13e95a93ee1a
SHA256

ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439
SHA512

08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Score

10^/10

danabot smokeloader 4 backdoor banker suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

danabot

Botnet

192.119.110.4:443

103.175.16.113:443

Attributes

embedded_hash
422236FD601D11EE82825A484D26DD6F
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F597.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\F597.exe.dll	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\23FB.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\23FB.exe.dll	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\23FB.exe.dll	DanabotLoader2021
behavioral2/memory/596-142-0x00000000040C0000-0x000000000420E000-memory.dmp	DanabotLoader2021

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

wjtrcacF597.exe23FB.exe

pid process

1488 wjtrcac
2832 F597.exe
1500 23FB.exe
Deletes itself 1 IoCs

Processes:

pid process

3036
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

604 rundll32.exe
596 rundll32.exe
596 rundll32.exe

pid	process
1488	wjtrcac
2832	F597.exe
1500	23FB.exe

pid	process
3036

pid	process
604	rundll32.exe
596	rundll32.exe
596	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

61dae93d780db_Sun139.exewjtrcac

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	61dae93d780db_Sun139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjtrcac
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjtrcac
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjtrcac

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61dae93d780db_Sun139.exe

pid	process
2652	61dae93d780db_Sun139.exe
2652	61dae93d780db_Sun139.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

61dae93d780db_Sun139.exewjtrcac

pid process

2652 61dae93d780db_Sun139.exe
1488 wjtrcac

pid	process
3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

F597.exe23FB.exe

description	pid	process	target process
PID 3036 wrote to memory of 2832	3036		F597.exe
PID 3036 wrote to memory of 2832	3036		F597.exe
PID 3036 wrote to memory of 2832	3036		F597.exe
PID 3036 wrote to memory of 1500	3036		23FB.exe
PID 3036 wrote to memory of 1500	3036		23FB.exe
PID 3036 wrote to memory of 1500	3036		23FB.exe
PID 2832 wrote to memory of 604	2832	F597.exe	rundll32.exe
PID 2832 wrote to memory of 604	2832	F597.exe	rundll32.exe
PID 2832 wrote to memory of 604	2832	F597.exe	rundll32.exe
PID 1500 wrote to memory of 596	1500	23FB.exe	rundll32.exe
PID 1500 wrote to memory of 596	1500	23FB.exe	rundll32.exe
PID 1500 wrote to memory of 596	1500	23FB.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe
"C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2652

C:\Users\Admin\AppData\Roaming\wjtrcac
C:\Users\Admin\AppData\Roaming\wjtrcac
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1488

C:\Users\Admin\AppData\Local\Temp\F597.exe
C:\Users\Admin\AppData\Local\Temp\F597.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F597.exe.dll,z C:\Users\Admin\AppData\Local\Temp\F597.exe
2⤵
- Loads dropped DLL
PID:604

C:\Users\Admin\AppData\Local\Temp\23FB.exe
C:\Users\Admin\AppData\Local\Temp\23FB.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\23FB.exe.dll,z C:\Users\Admin\AppData\Local\Temp\23FB.exe
2⤵
- Loads dropped DLL
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23FB.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Local\Temp\23FB.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Local\Temp\23FB.exe.dll
MD5
58a55db0fa9585087864cf3902f983ed

SHA1
f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12

SHA256
cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067

SHA512
32e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F597.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Local\Temp\F597.exe
MD5
63d9b309582fbf651840182519c04f18

SHA1
742539d685093f276242b1ca3fae82c0d20cad6a

SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3

SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385

Download Submit
C:\Users\Admin\AppData\Local\Temp\F597.exe.dll
MD5
d724cb47096211598dfbd042714ecef6

SHA1
ca42315bbd5a18771d7dac4ec7e01f23423e4c3b

SHA256
b0d99b0f0f68bda2b36c3929a3c712f4a53b850ed68618ebd2120d3ae23a4d07

SHA512
a14ac53c9c07c602306e2b0b465999ca7eaa136a75366446eb7c8c6ee279a066cf842a412cbd99cc54e90a4fd7566969fd63205d1fdd4af66fed1d504aa1b52a

Download Submit
C:\Users\Admin\AppData\Roaming\wjtrcac
MD5
c817d8a9ea3ed03f247e2f0a000a675a

SHA1
4194929b5a02524e1e24179014fa13e95a93ee1a

SHA256
ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439

SHA512
08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Download Submit
C:\Users\Admin\AppData\Roaming\wjtrcac
MD5
c817d8a9ea3ed03f247e2f0a000a675a

SHA1
4194929b5a02524e1e24179014fa13e95a93ee1a

SHA256
ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439

SHA512
08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618

Download Submit
\Users\Admin\AppData\Local\Temp\23FB.exe.dll
MD5
58a55db0fa9585087864cf3902f983ed

SHA1
f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12

SHA256
cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067

SHA512
32e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8

Download Submit
\Users\Admin\AppData\Local\Temp\23FB.exe.dll
MD5
58a55db0fa9585087864cf3902f983ed

SHA1
f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12

SHA256
cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067

SHA512
32e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8

Download Submit
\Users\Admin\AppData\Local\Temp\F597.exe.dll
MD5
d724cb47096211598dfbd042714ecef6

SHA1
ca42315bbd5a18771d7dac4ec7e01f23423e4c3b

SHA256
b0d99b0f0f68bda2b36c3929a3c712f4a53b850ed68618ebd2120d3ae23a4d07

SHA512
a14ac53c9c07c602306e2b0b465999ca7eaa136a75366446eb7c8c6ee279a066cf842a412cbd99cc54e90a4fd7566969fd63205d1fdd4af66fed1d504aa1b52a

Download Submit
memory/596-138-0x0000000000000000-mapping.dmp

Download
memory/596-142-0x00000000040C0000-0x000000000420E000-memory.dmp

Filesize
1.3MB

Download
memory/604-135-0x0000000000000000-mapping.dmp

Download
memory/1488-122-0x0000000004760000-0x0000000004769000-memory.dmp

Filesize
36KB

Download
memory/1488-123-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1488-121-0x0000000004750000-0x0000000004758000-memory.dmp

Filesize
32KB

Download
memory/1500-131-0x0000000000000000-mapping.dmp

Download
memory/1500-134-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/2652-115-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/2652-117-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2652-116-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/2832-129-0x0000000004AA0000-0x0000000004B9A000-memory.dmp

Filesize
1000KB

Download
memory/2832-125-0x0000000000000000-mapping.dmp

Download
memory/2832-130-0x0000000000400000-0x0000000002C59000-memory.dmp

Filesize
40.3MB

Download
memory/2832-128-0x00000000049B0000-0x0000000004A93000-memory.dmp

Filesize
908KB

Download
memory/3036-124-0x00000000030F0000-0x0000000003106000-memory.dmp

Filesize
88KB

Download
memory/3036-118-0x0000000001120000-0x0000000001136000-memory.dmp

Filesize
88KB

Download