danabot | 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7

General

Target

malware_smoke_1190770884.exe
Size

1.0MB
MD5

5b64b4c975ff001a2d99bf9b65b4b8bb
SHA1

a234b171340ca47f2a2fba0705911c61416e8985
SHA256

2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
SHA512

7a923c06534c9d29d9911760ad3b3ebd685806ff2cb157a055616532cf7aeabe362005e6ab38d669087b076840d70f77bbd6f14500fc98b56c4f2cbe6856cd5d
SSDEEP

24576:vbahsA6iHbGRj+x7UkpFU/UzPkgSSML3xitJwDSmAESmB:OhsTibGRjM7UkpFRMxqwM

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1788	rundll32.exe
4	1788	rundll32.exe
6	1788	rundll32.exe
7	1788	rundll32.exe
8	1788	rundll32.exe
9	1788	rundll32.exe
10	1788	rundll32.exe
11	1788	rundll32.exe
12	1788	rundll32.exe
13	1788	rundll32.exe
14	1788	rundll32.exe
15	1788	rundll32.exe
17	1788	rundll32.exe
18	1788	rundll32.exe
19	1788	rundll32.exe
20	1788	rundll32.exe
21	1788	rundll32.exe
22	1788	rundll32.exe
23	1788	rundll32.exe
24	1788	rundll32.exe
25	1788	rundll32.exe
26	1788	rundll32.exe
27	1788	rundll32.exe
28	1788	rundll32.exe
29	1788	rundll32.exe
30	1788	rundll32.exe
31	1788	rundll32.exe
32	1788	rundll32.exe
33	1788	rundll32.exe
34	1788	rundll32.exe
35	1788	rundll32.exe
36	1788	rundll32.exe
37	1788	rundll32.exe
38	1788	rundll32.exe
39	1788	rundll32.exe
40	1788	rundll32.exe
41	1788	rundll32.exe
42	1788	rundll32.exe
43	1788	rundll32.exe
44	1788	rundll32.exe
45	1788	rundll32.exe
46	1788	rundll32.exe
47	1788	rundll32.exe
48	1788	rundll32.exe
49	1788	rundll32.exe
50	1788	rundll32.exe
51	1788	rundll32.exe
52	1788	rundll32.exe
53	1788	rundll32.exe
54	1788	rundll32.exe
55	1788	rundll32.exe
56	1788	rundll32.exe
57	1788	rundll32.exe
58	1788	rundll32.exe
59	1788	rundll32.exe
60	1788	rundll32.exe
61	1788	rundll32.exe
62	1788	rundll32.exe
63	1788	rundll32.exe
64	1788	rundll32.exe
65	1788	rundll32.exe
67	1788	rundll32.exe
68	1788	rundll32.exe
69	1788	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

malware_smoke_1190770884.exe

description	pid	process	target process
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe
PID 1720 wrote to memory of 1788	1720	malware_smoke_1190770884.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x00000000005F0000-0x00000000006B5000-memory.dmp

Filesize
788KB

Download
memory/1720-55-0x00000000005F0000-0x00000000006B5000-memory.dmp

Filesize
788KB

Download
memory/1720-56-0x0000000001E70000-0x0000000002055000-memory.dmp

Filesize
1.9MB

Download
memory/1720-57-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1720-58-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1720-132-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1720-131-0x0000000001E70000-0x0000000002055000-memory.dmp

Filesize
1.9MB

Download
memory/1788-123-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1788-122-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1788-121-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1788-119-0x0000000000000000-mapping.dmp

Download
memory/1788-124-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1788-125-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/1788-126-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1788-127-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1788-130-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1788-129-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/1788-128-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1788-61-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1788-59-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing