danabot | 9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e

Analysis

max time kernel
150s
max time network
120s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
Size

196KB
MD5

0482533fc3093a15e0781d4318d2847b
SHA1

3487a17019b164cd135e6c026bf29f257aca7f91
SHA256

9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e
SHA512

7083708a0042ea849e0ece06f9908bded59d94779bd779d8588e735ab83a1c9c2f5335140e4df7e8235a50dfddd48ccb06bd821979fa43d7d4ed2c21515d23dd
SSDEEP

3072:tGkNo4LsgIIHN5rGyP5aSjgUtIaALPzPCBN6RET/PkkXx:3LCILGTSjxkPzP/RE

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1532-146-0x0000000000670000-0x0000000000679000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2F7C.exe

pid process

3576 2F7C.exe
Deletes itself 1 IoCs

Processes:

pid process

3012

pid	process
3576	2F7C.exe

pid	process
3012

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe

pid	process
1532	9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
1532	9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012
3012

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3012
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe

pid process

1532 9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3012
Token: SeCreatePagefilePrivilege 3012

pid	process
3012

description	pid	process
Token: SeShutdownPrivilege	3012
Token: SeCreatePagefilePrivilege	3012

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2F7C.exe

description	pid	process	target process
PID 3012 wrote to memory of 3576	3012		2F7C.exe
PID 3012 wrote to memory of 3576	3012		2F7C.exe
PID 3012 wrote to memory of 3576	3012		2F7C.exe
PID 3576 wrote to memory of 3968	3576	2F7C.exe	appidtel.exe
PID 3576 wrote to memory of 3968	3576	2F7C.exe	appidtel.exe
PID 3576 wrote to memory of 3968	3576	2F7C.exe	appidtel.exe

C:\Users\Admin\AppData\Local\Temp\9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe
"C:\Users\Admin\AppData\Local\Temp\9590788539509382088eea355a7cf597ee57d3ae88df786cdffdfcf8a243196e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1532

C:\Users\Admin\AppData\Local\Temp\2F7C.exe
C:\Users\Admin\AppData\Local\Temp\2F7C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F7C.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F7C.exe
Filesize
1.3MB

MD5
0d04f4dcf1c8057b6ed68057444a68a8

SHA1
c5c089025aef15d1aaa13c746f597bcb57fc45ce

SHA256
c13e4751e60749c9f221b107efbc807514299c8452346f5fdf07de91fc47c7de

SHA512
46a42550b0996c9875f7e68afa21b32437f013d2b3a8db7b6965b86ded369c3ef9dfbcbbc11904c58456e1d5919dea897b1f59455ea77af016c901e43b0984b2

Download Submit
memory/1532-120-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-121-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-122-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-123-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-124-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-126-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-127-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-128-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-129-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-130-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-131-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-132-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-133-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-138-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-139-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-142-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-144-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-145-0x0000000000690000-0x00000000007DA000-memory.dmp

Filesize
1.3MB

Download
memory/1532-146-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/1532-147-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1532-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-152-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-153-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-155-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1532-157-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3576-160-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-161-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-166-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-168-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-179-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-180-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-158-0x0000000000000000-mapping.dmp

Download
memory/3576-183-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-184-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-186-0x0000000002350000-0x000000000247F000-memory.dmp

Filesize
1.2MB

Download
memory/3576-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-187-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-189-0x0000000002500000-0x00000000027DB000-memory.dmp

Filesize
2.9MB

Download
memory/3576-190-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-191-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-188-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-192-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-193-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3576-206-0x0000000002350000-0x000000000247F000-memory.dmp

Filesize
1.2MB

Download
memory/3576-207-0x0000000002500000-0x00000000027DB000-memory.dmp

Filesize
2.9MB

Download
memory/3576-208-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3576-210-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3576-211-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/3968-194-0x0000000000000000-mapping.dmp

Download
memory/3968-195-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3968-196-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download