danabot | a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
Size

196KB
MD5

1928c4c92ba05b6a6183ef16b1fc7a39
SHA1

6d5b9a937fca0d2b2aaa06c6225a293cf6d0dc09
SHA256

a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f
SHA512

bf29f61900444825c055b4aab3e98a1062d9e251dfbf633b4c2258b7896684d6e23b30c003512ad217887bbb0b4ede567623e8524be34fe5171dabcd9ec7ec20
SSDEEP

3072:xIfpPL0OUiGA5RfCjEQfkgvvx8ruqkKy+Q9BpCcv/PkkXx:8LsiBf8sgvvJqPyVCc

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-141-0x0000000000620000-0x0000000000629000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

37A.exe

pid process

3096 37A.exe
Deletes itself 1 IoCs

Processes:

pid process

2172
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4888 3096 WerFault.exe 37A.exe
3712 3096 WerFault.exe 37A.exe

pid	process
3096	37A.exe

pid	process
2172

pid	pid_target	process	target process
4888	3096	WerFault.exe	37A.exe
3712	3096	WerFault.exe	37A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe

pid	process
2656	a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
2656	a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172
2172

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2172
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe

pid process

2656 a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2172
Token: SeCreatePagefilePrivilege 2172

pid	process
2172

description	pid	process
Token: SeShutdownPrivilege	2172
Token: SeCreatePagefilePrivilege	2172

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

37A.exe

description	pid	process	target process
PID 2172 wrote to memory of 3096	2172		37A.exe
PID 2172 wrote to memory of 3096	2172		37A.exe
PID 2172 wrote to memory of 3096	2172		37A.exe
PID 3096 wrote to memory of 4196	3096	37A.exe	appidtel.exe
PID 3096 wrote to memory of 4196	3096	37A.exe	appidtel.exe
PID 3096 wrote to memory of 4196	3096	37A.exe	appidtel.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe
PID 3096 wrote to memory of 4892	3096	37A.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe
"C:\Users\Admin\AppData\Local\Temp\a83c951acdf815bfb795cc7a7eb9dc8055affd6fe59d046ad208261d7f67349f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2656

C:\Users\Admin\AppData\Local\Temp\37A.exe
C:\Users\Admin\AppData\Local\Temp\37A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4196

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 604
2⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 628
2⤵
- Program crash
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37A.exe
Filesize
1.3MB

MD5
1df53e1aa831aabf9fc4ef4f7bf46b4f

SHA1
905b118dfb89c9cbb2f1d0256eb1233020fd1b05

SHA256
aaae59b366dc5b5e8d235e5d648d88a72f7b85f2f2aceae6a343c95aec5247b8

SHA512
1298ad0f058a25bc591b98ab7d1aeeeb9765ed0421232d2758af71f1d98131eca5e642dee03190b19c75904221c03c169cf8bdbf3e6a4d2e05859d81d2ce4d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\37A.exe
Filesize
1.3MB

MD5
1df53e1aa831aabf9fc4ef4f7bf46b4f

SHA1
905b118dfb89c9cbb2f1d0256eb1233020fd1b05

SHA256
aaae59b366dc5b5e8d235e5d648d88a72f7b85f2f2aceae6a343c95aec5247b8

SHA512
1298ad0f058a25bc591b98ab7d1aeeeb9765ed0421232d2758af71f1d98131eca5e642dee03190b19c75904221c03c169cf8bdbf3e6a4d2e05859d81d2ce4d25

Download Submit
memory/2656-156-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x00000000007B6000-0x00000000007C6000-memory.dmp

Filesize
64KB

Download
memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/2656-144-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-155-0x00000000007B6000-0x00000000007C6000-memory.dmp

Filesize
64KB

Download
memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-204-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-157-0x0000000000000000-mapping.dmp

Download
memory/3096-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-177-0x00000000023A0000-0x00000000024D4000-memory.dmp

Filesize
1.2MB

Download
memory/3096-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-187-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-186-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-189-0x0000000002520000-0x00000000027FB000-memory.dmp

Filesize
2.9MB

Download
memory/3096-188-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-190-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-191-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/3096-219-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3096-206-0x0000000002520000-0x00000000027FB000-memory.dmp

Filesize
2.9MB

Download
memory/3096-205-0x00000000023A0000-0x00000000024D4000-memory.dmp

Filesize
1.2MB

Download
memory/3096-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-194-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-193-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4196-192-0x0000000000000000-mapping.dmp

Download