danabot | bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b

Analysis

max time kernel
150s
max time network
137s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
Size

197KB
MD5

d4f8a4af5d4ab001eb10290991df78ec
SHA1

ed0cdf7d9befb0c73a0b34ff4be985f30e6597fb
SHA256

bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b
SHA512

0e32df29143e88b84bda3d88b23820628d3bc5625642d0fcae2495ec1112a565e1ce9ec9edc1044df1e1d80d5a9ead4a058779cfdc47d428dea5138bcf8f4fc9
SSDEEP

3072:W/g0+LM4/QJb59tfeyyCVgt5cVIGUyW5tjxMBk6xO+R/Pka4x:9LlQVtfxfgt54UJhe

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2804-139-0x00000000022A0000-0x00000000022A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1F6F.exetawgsuv

pid process

4756 1F6F.exe
2336 tawgsuv
Deletes itself 1 IoCs

Processes:

pid process

2744
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4904 4756 WerFault.exe 1F6F.exe
4404 4756 WerFault.exe 1F6F.exe

pid	process
4756	1F6F.exe
2336	tawgsuv

pid	process
2744

pid	pid_target	process	target process
4904	4756	WerFault.exe	1F6F.exe
4404	4756	WerFault.exe	1F6F.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exetawgsuv

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tawgsuv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tawgsuv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tawgsuv

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe

pid	process
2804	bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
2804	bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744
2744

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2744
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exetawgsuv

pid process

2804 bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
2336 tawgsuv
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2744
Token: SeCreatePagefilePrivilege 2744

pid	process
2744

description	pid	process
Token: SeShutdownPrivilege	2744
Token: SeCreatePagefilePrivilege	2744

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1F6F.exe

description	pid	process	target process
PID 2744 wrote to memory of 4756	2744		1F6F.exe
PID 2744 wrote to memory of 4756	2744		1F6F.exe
PID 2744 wrote to memory of 4756	2744		1F6F.exe
PID 4756 wrote to memory of 4180	4756	1F6F.exe	appidtel.exe
PID 4756 wrote to memory of 4180	4756	1F6F.exe	appidtel.exe
PID 4756 wrote to memory of 4180	4756	1F6F.exe	appidtel.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe
PID 4756 wrote to memory of 1424	4756	1F6F.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe
"C:\Users\Admin\AppData\Local\Temp\bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2804

C:\Users\Admin\AppData\Local\Temp\1F6F.exe
C:\Users\Admin\AppData\Local\Temp\1F6F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4180

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 600
2⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 632
2⤵
- Program crash
PID:4404

C:\Users\Admin\AppData\Roaming\tawgsuv
C:\Users\Admin\AppData\Roaming\tawgsuv
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1F6F.exe
Filesize
1.3MB

MD5
1dbaa0102ec2dbb7a37bdd3e62e60d9b

SHA1
ddc45fcb829e05d8d137b82c64c1a13134b91198

SHA256
287a774c47ad434a2280b76c9d7c2c89390ea2d69f2ae944909716ba6111c619

SHA512
e2e06155bd568f4e74499ab1d4e4559d352051103d49fdb024b8f428cc2266a68d4b57f0209cff40951326275ba8472711699d4fd900cb10831d0b5098820dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F6F.exe
Filesize
1.3MB

MD5
1dbaa0102ec2dbb7a37bdd3e62e60d9b

SHA1
ddc45fcb829e05d8d137b82c64c1a13134b91198

SHA256
287a774c47ad434a2280b76c9d7c2c89390ea2d69f2ae944909716ba6111c619

SHA512
e2e06155bd568f4e74499ab1d4e4559d352051103d49fdb024b8f428cc2266a68d4b57f0209cff40951326275ba8472711699d4fd900cb10831d0b5098820dd7

Download Submit
C:\Users\Admin\AppData\Roaming\tawgsuv
Filesize
197KB

MD5
d4f8a4af5d4ab001eb10290991df78ec

SHA1
ed0cdf7d9befb0c73a0b34ff4be985f30e6597fb

SHA256
bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b

SHA512
0e32df29143e88b84bda3d88b23820628d3bc5625642d0fcae2495ec1112a565e1ce9ec9edc1044df1e1d80d5a9ead4a058779cfdc47d428dea5138bcf8f4fc9

Download Submit
C:\Users\Admin\AppData\Roaming\tawgsuv
Filesize
197KB

MD5
d4f8a4af5d4ab001eb10290991df78ec

SHA1
ed0cdf7d9befb0c73a0b34ff4be985f30e6597fb

SHA256
bfbbff6982768d35faded6bca94d6a96d9f67c19aa93ed58a8c551489dc4503b

SHA512
0e32df29143e88b84bda3d88b23820628d3bc5625642d0fcae2495ec1112a565e1ce9ec9edc1044df1e1d80d5a9ead4a058779cfdc47d428dea5138bcf8f4fc9

Download Submit
memory/2336-253-0x00000000008C6000-0x00000000008D7000-memory.dmp

Filesize
68KB

Download
memory/2336-254-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/2336-255-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2336-256-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2804-139-0x00000000022A0000-0x00000000022A9000-memory.dmp

Filesize
36KB

Download
memory/2804-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-137-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2804-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-142-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2804-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-152-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2804-115-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4180-191-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4180-190-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4180-188-0x0000000000000000-mapping.dmp

Download
memory/4756-153-0x0000000000000000-mapping.dmp

Download
memory/4756-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-179-0x00000000024C0000-0x00000000025F3000-memory.dmp

Filesize
1.2MB

Download
memory/4756-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-182-0x0000000002600000-0x00000000028DB000-memory.dmp

Filesize
2.9MB

Download
memory/4756-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-183-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-184-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-185-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-186-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-187-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-189-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4756-201-0x00000000024C0000-0x00000000025F3000-memory.dmp

Filesize
1.2MB

Download
memory/4756-202-0x0000000002600000-0x00000000028DB000-memory.dmp

Filesize
2.9MB

Download
memory/4756-203-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4756-206-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4756-217-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4756-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download