danabot | 0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb

Analysis

max time kernel
150s
max time network
139s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2022 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
Size

154KB
MD5

360cf16df323e0288bd9b245735ebf41
SHA1

8e3ace582f4c30b451ed145976d592dfe9f45ed5
SHA256

0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb
SHA512

8b9a4752d70f2ec33503a5347f7c44ce3f5efea9a9936f1df4858d0e54ff0179ce20cb23737fb343375cfbc3abf967f5161e29c0244586750c8a4e5d01ecc769
SSDEEP

3072:xU9lGG5pTQwk2gwrIO4PkrpQdhs/lDdlVvgCB/eAeRwm5x:OnUO7rIOS4yhsdDBt/eR

Score

10^/10

danabot redline smokeloader insmix backdoor banker discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

danabot

198.15.112.179:443

185.62.56.245:443

153.92.223.225:443

192.119.70.159:443

Attributes

embedded_hash
6618C163D57D6441FCCA65D86C4D380D
type
loader

Extracted

Family

redline

Botnet

insmix

jamesmillion2.xyz:9420

Attributes

auth_value
f388a05524f756108c9e4b0f4c4bafb6

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2384-144-0x00000000006B0000-0x00000000006B9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

803C.exeF1C3.exe

pid process

1896 803C.exe
3620 F1C3.exe
Deletes itself 1 IoCs

Processes:

pid process

2576
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4980 1896 WerFault.exe 803C.exe

pid	process
1896	803C.exe
3620	F1C3.exe

pid	process
2576

pid	pid_target	process	target process
4980	1896	WerFault.exe	803C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe

pid	process
2384	0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
2384	0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe

pid process

2384 0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe

pid	process
2576

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

F1C3.exe

description	pid	process
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeDebugPrivilege	3620	F1C3.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

803C.exe

description	pid	process	target process
PID 2576 wrote to memory of 1896	2576		803C.exe
PID 2576 wrote to memory of 1896	2576		803C.exe
PID 2576 wrote to memory of 1896	2576		803C.exe
PID 1896 wrote to memory of 1248	1896	803C.exe	appidtel.exe
PID 1896 wrote to memory of 1248	1896	803C.exe	appidtel.exe
PID 1896 wrote to memory of 1248	1896	803C.exe	appidtel.exe
PID 2576 wrote to memory of 3620	2576		F1C3.exe
PID 2576 wrote to memory of 3620	2576		F1C3.exe
PID 2576 wrote to memory of 3620	2576		F1C3.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe
PID 1896 wrote to memory of 4932	1896	803C.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe
"C:\Users\Admin\AppData\Local\Temp\0d4755822c399c1724aba59ff9cd587b80cd7b324cb6709a9d997a5569a7b7cb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2384

C:\Users\Admin\AppData\Local\Temp\803C.exe
C:\Users\Admin\AppData\Local\Temp\803C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:1248

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 624
2⤵
- Program crash
PID:4980

C:\Users\Admin\AppData\Local\Temp\F1C3.exe
C:\Users\Admin\AppData\Local\Temp\F1C3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\803C.exe
Filesize
1.2MB

MD5
61e96ce82e0b4d75fb14549a01d34a08

SHA1
c11f3f509fc4cdf2b2849c3f33bf4ed6f9f2449c

SHA256
97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794

SHA512
8127d6ce59f680cf6f675c2a6ac140318f9455c30f13c3f7ea3c761e44f4698813daee865ccfdb93a3670afd86be90c45f202c9ac512827c62bbf77248eccb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\803C.exe
Filesize
1.2MB

MD5
61e96ce82e0b4d75fb14549a01d34a08

SHA1
c11f3f509fc4cdf2b2849c3f33bf4ed6f9f2449c

SHA256
97b5d69c22f57397a4eb17c5c15429678c09cb530cb48267a809491716a1c794

SHA512
8127d6ce59f680cf6f675c2a6ac140318f9455c30f13c3f7ea3c761e44f4698813daee865ccfdb93a3670afd86be90c45f202c9ac512827c62bbf77248eccb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1C3.exe
Filesize
304KB

MD5
15f1517f0ceaaf9b6c78cf7625510c07

SHA1
8aabce20aff43476586a1b69b0b761a7f39d1e7e

SHA256
d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

SHA512
931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1C3.exe
Filesize
304KB

MD5
15f1517f0ceaaf9b6c78cf7625510c07

SHA1
8aabce20aff43476586a1b69b0b761a7f39d1e7e

SHA256
d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

SHA512
931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

Download Submit
memory/1248-196-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1248-194-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1248-193-0x0000000000000000-mapping.dmp

Download
memory/1896-208-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1896-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-336-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1896-335-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1896-207-0x0000000002560000-0x000000000283B000-memory.dmp

Filesize
2.9MB

Download
memory/1896-206-0x0000000002430000-0x000000000255C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-195-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/1896-192-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-191-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-190-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-189-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-188-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-187-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-186-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-180-0x0000000002560000-0x000000000283B000-memory.dmp

Filesize
2.9MB

Download
memory/1896-178-0x0000000002430000-0x000000000255C000-memory.dmp

Filesize
1.2MB

Download
memory/1896-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-158-0x0000000000000000-mapping.dmp

Download
memory/1896-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-157-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2384-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-156-0x0000000000836000-0x0000000000847000-memory.dmp

Filesize
68KB

Download
memory/2384-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-144-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/2384-146-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2384-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-142-0x0000000000836000-0x0000000000847000-memory.dmp

Filesize
68KB

Download
memory/2384-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/3620-297-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/3620-256-0x0000000002300000-0x0000000002330000-memory.dmp

Filesize
192KB

Download
memory/3620-305-0x0000000006230000-0x00000000062C2000-memory.dmp

Filesize
584KB

Download
memory/3620-261-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/3620-263-0x00000000023F0000-0x000000000241E000-memory.dmp

Filesize
184KB

Download
memory/3620-274-0x0000000005320000-0x0000000005926000-memory.dmp

Filesize
6.0MB

Download
memory/3620-275-0x0000000002890000-0x00000000028A2000-memory.dmp

Filesize
72KB

Download
memory/3620-276-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/3620-306-0x0000000006470000-0x0000000006632000-memory.dmp

Filesize
1.8MB

Download
memory/3620-287-0x0000000004DB0000-0x0000000004DFB000-memory.dmp

Filesize
300KB

Download
memory/3620-209-0x0000000000000000-mapping.dmp

Download
memory/3620-245-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3620-279-0x00000000028E0000-0x000000000291E000-memory.dmp

Filesize
248KB

Download
memory/3620-307-0x0000000006640000-0x0000000006B6C000-memory.dmp

Filesize
5.2MB

Download
memory/3620-310-0x0000000006C70000-0x0000000006CE6000-memory.dmp

Filesize
472KB

Download
memory/3620-311-0x0000000006D30000-0x0000000006D4E000-memory.dmp

Filesize
120KB

Download
memory/3620-315-0x0000000006E10000-0x0000000006E60000-memory.dmp

Filesize
320KB

Download
memory/3620-316-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/3620-317-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3620-322-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3620-242-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/3620-243-0x00000000021C0000-0x00000000021F7000-memory.dmp

Filesize
220KB

Download