danabot | 01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d

Analysis

max time kernel
150s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
Size

197KB
MD5

566b85711405814185f3395067c9c256
SHA1

48df247f7237ffc1f672a6370667a57bc78705a0
SHA256

01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d
SHA512

f66fc8094d220610211394169fee2cf836e666c43720419d23a0ffd2f683d5f8cf3985a938ae59b2d7276ba707bd07f1cf88012e083fe396a2cabc05fc2cc6c8
SSDEEP

3072:Y3H6RLBM8naN5Nf5RzVM4Hl8FIpWxqVnfXKB/PBwc/PkkXx:5LRnEfHVM08FI0oXs

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-151-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

C614.exethduite

pid process

3096 C614.exe
3920 thduite
Deletes itself 1 IoCs

Processes:

pid process

2172
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

424 3096 WerFault.exe C614.exe
4388 3096 WerFault.exe C614.exe

pid	process
3096	C614.exe
3920	thduite

pid	process
2172

pid	pid_target	process	target process
424	3096	WerFault.exe	C614.exe
4388	3096	WerFault.exe	C614.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

thduite01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thduite
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thduite
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thduite

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe

pid	process
2656	01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
2656	01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2172
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exethduite

pid process

2656 01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
3920 thduite
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2172
Token: SeCreatePagefilePrivilege 2172

pid	process
2172

description	pid	process
Token: SeShutdownPrivilege	2172
Token: SeCreatePagefilePrivilege	2172

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

C614.exe

description	pid	process	target process
PID 2172 wrote to memory of 3096	2172		C614.exe
PID 2172 wrote to memory of 3096	2172		C614.exe
PID 2172 wrote to memory of 3096	2172		C614.exe
PID 3096 wrote to memory of 4196	3096	C614.exe	appidtel.exe
PID 3096 wrote to memory of 4196	3096	C614.exe	appidtel.exe
PID 3096 wrote to memory of 4196	3096	C614.exe	appidtel.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe
PID 3096 wrote to memory of 4888	3096	C614.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe
"C:\Users\Admin\AppData\Local\Temp\01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Users\Admin\AppData\Local\Temp\C614.exe
C:\Users\Admin\AppData\Local\Temp\C614.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4196

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 600
2⤵
- Program crash
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 624
2⤵
- Program crash
PID:4388

C:\Users\Admin\AppData\Roaming\thduite
C:\Users\Admin\AppData\Roaming\thduite
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C614.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C614.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
C:\Users\Admin\AppData\Roaming\thduite
Filesize
197KB

MD5
566b85711405814185f3395067c9c256

SHA1
48df247f7237ffc1f672a6370667a57bc78705a0

SHA256
01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d

SHA512
f66fc8094d220610211394169fee2cf836e666c43720419d23a0ffd2f683d5f8cf3985a938ae59b2d7276ba707bd07f1cf88012e083fe396a2cabc05fc2cc6c8

Download Submit
C:\Users\Admin\AppData\Roaming\thduite
Filesize
197KB

MD5
566b85711405814185f3395067c9c256

SHA1
48df247f7237ffc1f672a6370667a57bc78705a0

SHA256
01911c2c5d240bf99089ba1296288140439fb0a35c3a468e2d119a4f94a76d4d

SHA512
f66fc8094d220610211394169fee2cf836e666c43720419d23a0ffd2f683d5f8cf3985a938ae59b2d7276ba707bd07f1cf88012e083fe396a2cabc05fc2cc6c8

Download Submit
memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x0000000000836000-0x0000000000847000-memory.dmp

Filesize
68KB

Download
memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-155-0x0000000000836000-0x0000000000847000-memory.dmp

Filesize
68KB

Download
memory/2656-156-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-180-0x0000000002410000-0x000000000253B000-memory.dmp

Filesize
1.2MB

Download
memory/3096-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-182-0x0000000002540000-0x000000000281B000-memory.dmp

Filesize
2.9MB

Download
memory/3096-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-186-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-187-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-188-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-189-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-190-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-191-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-194-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-205-0x0000000002410000-0x000000000253B000-memory.dmp

Filesize
1.2MB

Download
memory/3096-206-0x0000000002540000-0x000000000281B000-memory.dmp

Filesize
2.9MB

Download
memory/3096-157-0x0000000000000000-mapping.dmp

Download
memory/3096-207-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-220-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-221-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3920-257-0x0000000000837000-0x0000000000848000-memory.dmp

Filesize
68KB

Download
memory/3920-258-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/3920-259-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3920-260-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/4196-192-0x0000000000000000-mapping.dmp

Download
memory/4196-193-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-195-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download