danabot | de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11/09/2022, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
Size

304KB
MD5

c4b6c77543692a891bf5575295ea5ff9
SHA1

0579ce49636b937878fe02e3db73a1b0fcde3083
SHA256

de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc
SHA512

a273acf81db3fe3aff7e4a33adb1cd0ab62ff10eaff673bdd64210a9e30de26b9cb6bf31cf747eb8149818739ad1c0b37e3eac30a41f6d668c2aca17fee08d2e
SSDEEP

6144:YrAO+jLcHal6CQwyVmwAKWn15hMeCXO8YAajTFU+Vhz:YhKc01QwyVmwQn15yOdXG

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/2188-147-0x0000000002500000-0x0000000002509000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3464	1DF.exe

Deletes itself 1 IoCs

pid	Process
3024	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1208	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
2188	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found
3024	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2188	de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3464	3024	Process not Found	66
PID 3024 wrote to memory of 3464	3024	Process not Found	66
PID 3024 wrote to memory of 3464	3024	Process not Found	66
PID 3464 wrote to memory of 1208	3464	1DF.exe	67
PID 3464 wrote to memory of 1208	3464	1DF.exe	67
PID 3464 wrote to memory of 1208	3464	1DF.exe	67

C:\Users\Admin\AppData\Local\Temp\de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe
"C:\Users\Admin\AppData\Local\Temp\de4310ebfe29b453df0d4f902c675b6e442f75242ddee9ed0e1c37cc30cf66cc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2188

C:\Users\Admin\AppData\Local\Temp\1DF.exe
C:\Users\Admin\AppData\Local\Temp\1DF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll,start C:\Users\Admin\AppData\Local\Temp\1DF.exe
  2⤵
  - Loads dropped DLL
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1DF.exe

Filesize
2.5MB

MD5
c335ad9a447bc1479ccf5d0f955775e0

SHA1
1f856b9a95e91ceb9035e31b1bb2808d9c99744d

SHA256
b4451017413576547622f566432cd316b3ffce335a378869bffc1bf661005946

SHA512
f6073046a6db1f50b8f0a07a85cd633d00242542916cb03a713ce3f1aab25365e21d0602311af1f986d126002a9db0cdcc6953c4fbc6108cf49e0bd556c9f3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DF.exe

Filesize
2.5MB

MD5
c335ad9a447bc1479ccf5d0f955775e0

SHA1
1f856b9a95e91ceb9035e31b1bb2808d9c99744d

SHA256
b4451017413576547622f566432cd316b3ffce335a378869bffc1bf661005946

SHA512
f6073046a6db1f50b8f0a07a85cd633d00242542916cb03a713ce3f1aab25365e21d0602311af1f986d126002a9db0cdcc6953c4fbc6108cf49e0bd556c9f3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

Filesize
3.1MB

MD5
41601e8acf775a91524bafa545061804

SHA1
084d4b6e1b281d696630450358698e77de7d5e7e

SHA256
5e509614faa874c9b13d707d7bdadcd7fbd0ee5427d8f17d0cb185e932ab868d

SHA512
32e82e9eea04f6939aae935723124e10a66453b70e2d45d3303dddafd7ca38f36930e26207f8da144b5e9ecac460182b96684900096810952d82ab12379b822e

Download Submit
\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

Filesize
2.4MB

MD5
965a552812af7bf019a56444abab9471

SHA1
e83e59e0b09e2a38b2b1f134e7a3b7ec6d604ef4

SHA256
dd602a9598bd4506c30394f9db3b6deb1acb01c627465a2839219c18cc659d53

SHA512
a31ccdcc60a74d0d83da094aa6041f467e3e7484e964ecdb6a2ea9bddb42290d07dcd62631260cf25c677109316dc5ea62fa8e2e9e7bddbccef302f946a718eb

Download Submit
memory/2188-156-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/2188-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-157-0x0000000000400000-0x00000000007EE000-memory.dmp

Filesize
3.9MB

Download
memory/2188-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-146-0x00000000008D0000-0x0000000000A1A000-memory.dmp

Filesize
1.3MB

Download
memory/2188-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-147-0x0000000002500000-0x0000000002509000-memory.dmp

Filesize
36KB

Download
memory/2188-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-188-0x0000000002880000-0x0000000002ACE000-memory.dmp

Filesize
2.3MB

Download
memory/3464-187-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-189-0x0000000002AD0000-0x0000000002D43000-memory.dmp

Filesize
2.4MB

Download
memory/3464-190-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-191-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-192-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-193-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-194-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-202-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/3464-205-0x0000000002880000-0x0000000002ACE000-memory.dmp

Filesize
2.3MB

Download
memory/3464-206-0x0000000002AD0000-0x0000000002D43000-memory.dmp

Filesize
2.4MB

Download
memory/3464-207-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download
memory/3464-212-0x0000000000400000-0x0000000000A1D000-memory.dmp

Filesize
6.1MB

Download