danabot | e13640666585c0e82d6cc9f3d2dc3a3da66c3a852b646d59bb7cfa97cc39bffd

General

Target

malware_smoke_3061005942.exe
Size

1.1MB
MD5

2141a496f9a9d04a7a28caef9e888fed
SHA1

9aa0b33782f87c1c3c77c27c877cb2bb60b4ab5f
SHA256

e13640666585c0e82d6cc9f3d2dc3a3da66c3a852b646d59bb7cfa97cc39bffd
SHA512

80f26f43c73b3a5d336a118e3caec0713f9c9d1df5980534887e8d8fd3a9a1bf2008628e9f425b861baa288df727e60cef482f0b33518eddf861d396bcb19d80
SSDEEP

24576:9TwAQDab31LuMbTAf0ZldVmo9I/wQXQihcbDhY7OY:9T716MbTrZtxQXQ+8hEOY

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.106.122.14:443

5.9.224.217:443

192.236.161.4:443

Attributes

embedded_hash
02CDE3C5209428051C9FFF92782DB49C
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
2	948	rundll32.exe
4	948	rundll32.exe
6	948	rundll32.exe
7	948	rundll32.exe
8	948	rundll32.exe
9	948	rundll32.exe
10	948	rundll32.exe
11	948	rundll32.exe
12	948	rundll32.exe
13	948	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

malware_smoke_3061005942.exe

description	pid	process	target process
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe
PID 2044 wrote to memory of 948	2044	malware_smoke_3061005942.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_3061005942.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_3061005942.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-114-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/948-115-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/948-117-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/948-116-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/948-111-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/948-61-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/948-113-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/2044-55-0x00000000021C0000-0x0000000002409000-memory.dmp

Filesize
2.3MB

Download
memory/2044-54-0x00000000020D0000-0x00000000021BB000-memory.dmp

Filesize
940KB

Download
memory/2044-58-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2044-57-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2044-56-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/2044-118-0x00000000021C0000-0x0000000002409000-memory.dmp

Filesize
2.3MB

Download
memory/2044-119-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing