danabot | 1fc8724cc19df186b45a21260de7dc73ff1d915f7bdbce74f92429d1a517b50b

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_4281809129.exe
Size

1.1MB
MD5

36c1160582e33d62df2c29a938f4a86f
SHA1

af1133a8a223a965a18bc15bdf69711fc5128e3b
SHA256

1fc8724cc19df186b45a21260de7dc73ff1d915f7bdbce74f92429d1a517b50b
SHA512

3cdf130b1b8494d2442b9796127a8f2638516e54fc6e81691a7ceb1aaed6a505dc5d93ef8c8a42511f283828d03ebc0338e66d1be319f990f13daba4481bea57
SSDEEP

12288:q6sLNmPc68E1+wdxGhJOKzrKUzXJiUIur36CtGNe+vkjeL9mwFCNunVC+YqBSLaf:qpQc69+J7KczIS/72yN8VrwjYgaiL

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.106.122.14:443

5.9.224.217:443

192.236.161.4:443

Attributes

embedded_hash
02CDE3C5209428051C9FFF92782DB49C
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

flow	pid	process
2	2020	rundll32.exe
5	2020	rundll32.exe
6	2020	rundll32.exe
7	2020	rundll32.exe
8	2020	rundll32.exe
9	2020	rundll32.exe
10	2020	rundll32.exe
13	2020	rundll32.exe
14	2020	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_4281809129.exe

description	pid	process	target process
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe
PID 364 wrote to memory of 2020	364	malware_smoke_4281809129.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_4281809129.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_4281809129.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-54-0x0000000002160000-0x000000000224B000-memory.dmp

Filesize
940KB

Download
memory/364-55-0x0000000002250000-0x0000000002499000-memory.dmp

Filesize
2.3MB

Download
memory/364-56-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/364-57-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/364-58-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-99-0x0000000000400000-0x000000000072D000-memory.dmp

Filesize
3.2MB

Download
memory/364-98-0x0000000002250000-0x0000000002499000-memory.dmp

Filesize
2.3MB

Download
memory/2020-89-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/2020-87-0x0000000000000000-mapping.dmp

Download
memory/2020-90-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2020-91-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2020-92-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/2020-93-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/2020-94-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2020-95-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/2020-96-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/2020-97-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/2020-61-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2020-59-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download