danabot | 9adae542cda4ae5595b029a59dfce9e608a6d9cb0230954090e99e5686015232

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_2586265091.exe
Size

990KB
MD5

c6590daf3562c911d8280aed67c81a1a
SHA1

740aa1f7657b2495115eae344f497d34e3b0fcdd
SHA256

9adae542cda4ae5595b029a59dfce9e608a6d9cb0230954090e99e5686015232
SHA512

a3a22776596ea2f992e47acd756b1533382d474b16c307732d5d282ba6b89a96512dd7c142acf46ea22c966cefe01ba0a1f315dbe84f8779216789bd761947bc
SSDEEP

24576:CNS/TRewd2e3s4on/1ooxAAHsP9PtL/Ol94cOMDARwTW:xbd2Yo/RAA+Or4uDPW

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
38025B93DA95E52B49DBD6CF4413C95E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 36 IoCs

Processes:

rundll32.exe

flow	pid	process
7	1796	rundll32.exe
9	1796	rundll32.exe
10	1796	rundll32.exe
16	1796	rundll32.exe
17	1796	rundll32.exe
19	1796	rundll32.exe
32	1796	rundll32.exe
34	1796	rundll32.exe
38	1796	rundll32.exe
39	1796	rundll32.exe
40	1796	rundll32.exe
41	1796	rundll32.exe
44	1796	rundll32.exe
45	1796	rundll32.exe
47	1796	rundll32.exe
48	1796	rundll32.exe
49	1796	rundll32.exe
50	1796	rundll32.exe
51	1796	rundll32.exe
52	1796	rundll32.exe
53	1796	rundll32.exe
55	1796	rundll32.exe
56	1796	rundll32.exe
57	1796	rundll32.exe
58	1796	rundll32.exe
59	1796	rundll32.exe
60	1796	rundll32.exe
61	1796	rundll32.exe
62	1796	rundll32.exe
63	1796	rundll32.exe
64	1796	rundll32.exe
65	1796	rundll32.exe
66	1796	rundll32.exe
67	1796	rundll32.exe
68	1796	rundll32.exe
69	1796	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3340 4892 WerFault.exe malware_smoke_2586265091.exe

pid	pid_target	process	target process
3340	4892	WerFault.exe	malware_smoke_2586265091.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

malware_smoke_2586265091.exe

description	pid	process	target process
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe
PID 4892 wrote to memory of 1796	4892	malware_smoke_2586265091.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2586265091.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2586265091.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 612
2⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4892 -ip 4892
1⤵
PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-135-0x0000000000000000-mapping.dmp

Download
memory/4892-132-0x00000000008B4000-0x0000000000979000-memory.dmp

Filesize
788KB

Download
memory/4892-133-0x0000000002320000-0x0000000002505000-memory.dmp

Filesize
1.9MB

Download
memory/4892-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4892-136-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download