danabot | d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
Size

200KB
MD5

8103713139a4ffbccf111954d4934368
SHA1

112b2d8f63b2b7bc1b719993af19ec2c951d041d
SHA256

d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593
SHA512

e71a77cc1b7812544471570659a4b218475b09d2e82f6db1dd23ee86a987b26a2ea791f355a0eb885eb9bc13d6ff97d44cb2f572decf7433349fee2c7b72bea3
SSDEEP

3072:qw4nyEzLTffCXg85UNeHj/MLML2jWWc3T+eixgGZhRBvipo/Pkj4x:qIkLTCX2K/MQL26WcDSxHZo

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-147-0x00000000022A0000-0x00000000022A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1F01.exe

pid process

4636 1F01.exe
Deletes itself 1 IoCs

Processes:

pid process

3032
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5116 4636 WerFault.exe 1F01.exe
4272 4636 WerFault.exe 1F01.exe

pid	process
4636	1F01.exe

pid	process
3032

pid	pid_target	process	target process
5116	4636	WerFault.exe	1F01.exe
4272	4636	WerFault.exe	1F01.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe

pid	process
2668	d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
2668	d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe

pid process

2668 d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3032
Token: SeCreatePagefilePrivilege 3032

pid	process
3032

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1F01.exe

description	pid	process	target process
PID 3032 wrote to memory of 4636	3032		1F01.exe
PID 3032 wrote to memory of 4636	3032		1F01.exe
PID 3032 wrote to memory of 4636	3032		1F01.exe
PID 4636 wrote to memory of 4752	4636	1F01.exe	appidtel.exe
PID 4636 wrote to memory of 4752	4636	1F01.exe	appidtel.exe
PID 4636 wrote to memory of 4752	4636	1F01.exe	appidtel.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe
PID 4636 wrote to memory of 5092	4636	1F01.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe
"C:\Users\Admin\AppData\Local\Temp\d661bb563505adbc0275e66634e75b0e2f024f33fd5d8ed6b726287dd9f24593.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2668

C:\Users\Admin\AppData\Local\Temp\1F01.exe
C:\Users\Admin\AppData\Local\Temp\1F01.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4752

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 608
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 568
2⤵
- Program crash
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1F01.exe
Filesize
1.3MB

MD5
f4d84eb34cdbd8b51173f50ae9302556

SHA1
cf03ff45dae92c973774b5a2bc937bdd29fa9a95

SHA256
d09dd239bdce103c46540970a7047a5419c9cc7b75759a18b6219ba71efe05e0

SHA512
63e9fb940c2b0d6a92bc1ad3213074fa412643948038fbed1d0c09fc5f1f1a79b010632c55e84bcc6b5fe1fffeb6d0884535b0612a20012a10c16c03c48df7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F01.exe
Filesize
1.3MB

MD5
f4d84eb34cdbd8b51173f50ae9302556

SHA1
cf03ff45dae92c973774b5a2bc937bdd29fa9a95

SHA256
d09dd239bdce103c46540970a7047a5419c9cc7b75759a18b6219ba71efe05e0

SHA512
63e9fb940c2b0d6a92bc1ad3213074fa412643948038fbed1d0c09fc5f1f1a79b010632c55e84bcc6b5fe1fffeb6d0884535b0612a20012a10c16c03c48df7da

Download Submit
memory/2668-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-147-0x00000000022A0000-0x00000000022A9000-memory.dmp

Filesize
36KB

Download
memory/2668-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-148-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2668-145-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2668-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-151-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-152-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4636-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-153-0x0000000000000000-mapping.dmp

Download
memory/4636-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-180-0x00000000023E0000-0x000000000250C000-memory.dmp

Filesize
1.2MB

Download
memory/4636-179-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-182-0x0000000002510000-0x00000000027EB000-memory.dmp

Filesize
2.9MB

Download
memory/4636-183-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-184-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-185-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-186-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-187-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-192-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4636-201-0x00000000023E0000-0x000000000250C000-memory.dmp

Filesize
1.2MB

Download
memory/4636-202-0x0000000002510000-0x00000000027EB000-memory.dmp

Filesize
2.9MB

Download
memory/4636-203-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4636-216-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4636-217-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4752-188-0x0000000000000000-mapping.dmp

Download
memory/4752-190-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-189-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download