danabot | 380799a1cfe4311c17c4c6240ac65d8337e55679a547e57621ac3c8c9233315f

Analysis

max time kernel
135s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_3900822290.exe
Size

1.1MB
MD5

aecb3fdebc29b15a92535bbbd21d295c
SHA1

aba867d33123b33a1d21f7db6f05472721e2f5ef
SHA256

380799a1cfe4311c17c4c6240ac65d8337e55679a547e57621ac3c8c9233315f
SHA512

6ec34ae1e2141c3faee6f724fb0f5ae998b574ac765bfac0c21d5915c416085f50b6b3f500ebe787b6efb61b36ee9a19807278ae64d2a68e4ff53d6a5c499f99
SSDEEP

24576:oiMdCm9+HP+xWXeHSoejsC5GL/6YkRkE26tW3Pk4d:o4NOKDw/6A84

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

Attributes

embedded_hash
C9710462E1D60893F562FB2B07EC3B66
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

3 968 rundll32.exe
5 968 rundll32.exe
6 968 rundll32.exe
7 968 rundll32.exe

flow	pid	process
3	968	rundll32.exe
5	968	rundll32.exe
6	968	rundll32.exe
7	968	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_3900822290.exe

description	pid	process	target process
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe
PID 1980 wrote to memory of 968	1980	malware_smoke_3900822290.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_3900822290.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_3900822290.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-93-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/968-95-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/968-96-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/968-91-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/968-63-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/968-92-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/968-94-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/968-61-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/968-89-0x0000000000000000-mapping.dmp

Download
memory/1980-58-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/1980-60-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/1980-54-0x00000000002D0000-0x00000000003B1000-memory.dmp

Filesize
900KB

Download
memory/1980-59-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/1980-57-0x0000000001F30000-0x000000000215B000-memory.dmp

Filesize
2.2MB

Download
memory/1980-56-0x00000000002D0000-0x00000000003B1000-memory.dmp

Filesize
900KB

Download