danabot | 49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
Size

196KB
MD5

7c3ebcfe5e8a01457bd38ddb740f9e85
SHA1

d41b0b47e27043ee663459a22aa5422e912c442d
SHA256

49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12
SHA512

51119ea4a9ac504175d38b1e4eb2c24879c54680540741ca9cf8085d26141fe5a751f61ccaec7b4f0efec2d50e41a2bdf9f2ebb4c46160193311131cb8b325b1
SSDEEP

3072:SAxNLYVEATb5YJnrU2Ti9A6NFqsf4PBeLVUmAgxA/Pka4x:zLXAmlT0x54Yb9

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1776-134-0x00000000022A0000-0x00000000022A9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

E69C.exe

pid process

4824 E69C.exe
Deletes itself 1 IoCs

Processes:

pid process

3032
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4896 4824 WerFault.exe E69C.exe
3520 4824 WerFault.exe E69C.exe

pid	process
4824	E69C.exe

pid	process
3032

pid	pid_target	process	target process
4896	4824	WerFault.exe	E69C.exe
3520	4824	WerFault.exe	E69C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe

pid	process
1776	49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
1776	49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe

pid process

1776 49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3032
Token: SeCreatePagefilePrivilege 3032

pid	process
3032

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

E69C.exe

description	pid	process	target process
PID 3032 wrote to memory of 4824	3032		E69C.exe
PID 3032 wrote to memory of 4824	3032		E69C.exe
PID 3032 wrote to memory of 4824	3032		E69C.exe
PID 4824 wrote to memory of 1984	4824	E69C.exe	appidtel.exe
PID 4824 wrote to memory of 1984	4824	E69C.exe	appidtel.exe
PID 4824 wrote to memory of 1984	4824	E69C.exe	appidtel.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe
PID 4824 wrote to memory of 3452	4824	E69C.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe
"C:\Users\Admin\AppData\Local\Temp\49a10dfdf925ade68af1b86b61758e1f74570924daee46eb58fe2e3599967a12.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1776

C:\Users\Admin\AppData\Local\Temp\E69C.exe
C:\Users\Admin\AppData\Local\Temp\E69C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:1984

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 612
2⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 628
2⤵
- Program crash
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E69C.exe
Filesize
1.3MB

MD5
8986b55a9017f804a34cb81d41772b23

SHA1
3bcc5a3f9d421ab14852d3cd0c247ce60ec52e49

SHA256
463a84d5de81c240abaa3e223de328562870a5841ffec3c417fabdc230e9cfdd

SHA512
77310c1e7920fe7f559532747d7b352a1817dccc1ad87c6821cc3e60ae20b4edfad6ecc554dadf2411f2bc179db86805716757e32b7023690d83eeed4bce3d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\E69C.exe
Filesize
1.3MB

MD5
8986b55a9017f804a34cb81d41772b23

SHA1
3bcc5a3f9d421ab14852d3cd0c247ce60ec52e49

SHA256
463a84d5de81c240abaa3e223de328562870a5841ffec3c417fabdc230e9cfdd

SHA512
77310c1e7920fe7f559532747d7b352a1817dccc1ad87c6821cc3e60ae20b4edfad6ecc554dadf2411f2bc179db86805716757e32b7023690d83eeed4bce3d26

Download Submit
memory/1776-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-133-0x0000000000806000-0x0000000000816000-memory.dmp

Filesize
64KB

Download
memory/1776-134-0x00000000022A0000-0x00000000022A9000-memory.dmp

Filesize
36KB

Download
memory/1776-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-142-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1776-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1776-152-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1776-153-0x0000000000806000-0x0000000000816000-memory.dmp

Filesize
64KB

Download
memory/1984-189-0x0000000000000000-mapping.dmp

Download
memory/1984-190-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1984-191-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-154-0x0000000000000000-mapping.dmp

Download
memory/4824-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-181-0x0000000002390000-0x00000000024BB000-memory.dmp

Filesize
1.2MB

Download
memory/4824-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-183-0x0000000002520000-0x00000000027FB000-memory.dmp

Filesize
2.9MB

Download
memory/4824-184-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-185-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-186-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-187-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-188-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-193-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4824-202-0x0000000002390000-0x00000000024BB000-memory.dmp

Filesize
1.2MB

Download
memory/4824-203-0x0000000002520000-0x00000000027FB000-memory.dmp

Filesize
2.9MB

Download
memory/4824-204-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4824-212-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/4824-218-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download