danabot | 9adae542cda4ae5595b029a59dfce9e608a6d9cb0230954090e99e5686015232

General

Target

malware_smoke_2586265091.exe
Size

990KB
MD5

c6590daf3562c911d8280aed67c81a1a
SHA1

740aa1f7657b2495115eae344f497d34e3b0fcdd
SHA256

9adae542cda4ae5595b029a59dfce9e608a6d9cb0230954090e99e5686015232
SHA512

a3a22776596ea2f992e47acd756b1533382d474b16c307732d5d282ba6b89a96512dd7c142acf46ea22c966cefe01ba0a1f315dbe84f8779216789bd761947bc
SSDEEP

24576:CNS/TRewd2e3s4on/1ooxAAHsP9PtL/Ol94cOMDARwTW:xbd2Yo/RAA+Or4uDPW

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
38025B93DA95E52B49DBD6CF4413C95E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 35 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1640	rundll32.exe
5	1640	rundll32.exe
6	1640	rundll32.exe
7	1640	rundll32.exe
8	1640	rundll32.exe
9	1640	rundll32.exe
10	1640	rundll32.exe
11	1640	rundll32.exe
12	1640	rundll32.exe
13	1640	rundll32.exe
14	1640	rundll32.exe
15	1640	rundll32.exe
16	1640	rundll32.exe
17	1640	rundll32.exe
18	1640	rundll32.exe
19	1640	rundll32.exe
20	1640	rundll32.exe
21	1640	rundll32.exe
22	1640	rundll32.exe
23	1640	rundll32.exe
24	1640	rundll32.exe
25	1640	rundll32.exe
26	1640	rundll32.exe
27	1640	rundll32.exe
28	1640	rundll32.exe
29	1640	rundll32.exe
30	1640	rundll32.exe
31	1640	rundll32.exe
32	1640	rundll32.exe
33	1640	rundll32.exe
34	1640	rundll32.exe
35	1640	rundll32.exe
36	1640	rundll32.exe
37	1640	rundll32.exe
38	1640	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

malware_smoke_2586265091.exe

description	pid	process	target process
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe
PID 1452 wrote to memory of 1640	1452	malware_smoke_2586265091.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2586265091.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2586265091.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-104-0x0000000001E20000-0x0000000002005000-memory.dmp

Filesize
1.9MB

Download
memory/1452-55-0x0000000000220000-0x00000000002E5000-memory.dmp

Filesize
788KB

Download
memory/1452-56-0x0000000001E20000-0x0000000002005000-memory.dmp

Filesize
1.9MB

Download
memory/1452-57-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1452-58-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-121-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1452-54-0x0000000000220000-0x00000000002E5000-memory.dmp

Filesize
788KB

Download
memory/1640-111-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1640-108-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1640-101-0x0000000000000000-mapping.dmp

Download
memory/1640-106-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1640-110-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1640-61-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1640-113-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/1640-112-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1640-109-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/1640-103-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1640-107-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/1640-105-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1640-114-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/1640-115-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1640-116-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/1640-117-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1640-118-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/1640-119-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/1640-120-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1640-59-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing