danabot | 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_1190770884.exe
Size

1.0MB
MD5

5b64b4c975ff001a2d99bf9b65b4b8bb
SHA1

a234b171340ca47f2a2fba0705911c61416e8985
SHA256

2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
SHA512

7a923c06534c9d29d9911760ad3b3ebd685806ff2cb157a055616532cf7aeabe362005e6ab38d669087b076840d70f77bbd6f14500fc98b56c4f2cbe6856cd5d
SSDEEP

24576:vbahsA6iHbGRj+x7UkpFU/UzPkgSSML3xitJwDSmAESmB:OhsTibGRjM7UkpFRMxqwM

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 49 IoCs

flow	pid	Process
17	208	rundll32.exe
18	208	rundll32.exe
19	208	rundll32.exe
25	208	rundll32.exe
26	208	rundll32.exe
31	208	rundll32.exe
32	208	rundll32.exe
33	208	rundll32.exe
42	208	rundll32.exe
43	208	rundll32.exe
44	208	rundll32.exe
48	208	rundll32.exe
49	208	rundll32.exe
52	208	rundll32.exe
53	208	rundll32.exe
54	208	rundll32.exe
55	208	rundll32.exe
56	208	rundll32.exe
57	208	rundll32.exe
58	208	rundll32.exe
59	208	rundll32.exe
60	208	rundll32.exe
61	208	rundll32.exe
64	208	rundll32.exe
66	208	rundll32.exe
69	208	rundll32.exe
70	208	rundll32.exe
71	208	rundll32.exe
72	208	rundll32.exe
73	208	rundll32.exe
74	208	rundll32.exe
75	208	rundll32.exe
76	208	rundll32.exe
77	208	rundll32.exe
78	208	rundll32.exe
79	208	rundll32.exe
80	208	rundll32.exe
81	208	rundll32.exe
82	208	rundll32.exe
83	208	rundll32.exe
84	208	rundll32.exe
85	208	rundll32.exe
86	208	rundll32.exe
87	208	rundll32.exe
88	208	rundll32.exe
89	208	rundll32.exe
90	208	rundll32.exe
91	208	rundll32.exe
92	208	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3852	856	WerFault.exe	77

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	80

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 608
  2⤵
  - Program crash
  PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 856
1⤵
PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-144-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/208-150-0x0000000000B90000-0x0000000000B94000-memory.dmp

Filesize
16KB

Download
memory/208-151-0x0000000000BA0000-0x0000000000BA4000-memory.dmp

Filesize
16KB

Download
memory/208-145-0x0000000000B40000-0x0000000000B44000-memory.dmp

Filesize
16KB

Download
memory/208-137-0x0000000000AC0000-0x0000000000AC4000-memory.dmp

Filesize
16KB

Download
memory/208-138-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

Filesize
16KB

Download
memory/208-146-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/208-140-0x0000000000AF0000-0x0000000000AF4000-memory.dmp

Filesize
16KB

Download
memory/208-141-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download
memory/208-142-0x0000000000B10000-0x0000000000B14000-memory.dmp

Filesize
16KB

Download
memory/208-143-0x0000000000B20000-0x0000000000B24000-memory.dmp

Filesize
16KB

Download
memory/208-152-0x0000000000BB0000-0x0000000000BB4000-memory.dmp

Filesize
16KB

Download
memory/208-153-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/208-139-0x0000000000AE0000-0x0000000000AE4000-memory.dmp

Filesize
16KB

Download
memory/208-147-0x0000000000B60000-0x0000000000B64000-memory.dmp

Filesize
16KB

Download
memory/208-148-0x0000000000B70000-0x0000000000B74000-memory.dmp

Filesize
16KB

Download
memory/208-149-0x0000000000B80000-0x0000000000B84000-memory.dmp

Filesize
16KB

Download
memory/208-156-0x0000000000BF0000-0x0000000000BF4000-memory.dmp

Filesize
16KB

Download
memory/208-155-0x0000000000BE0000-0x0000000000BE4000-memory.dmp

Filesize
16KB

Download
memory/208-154-0x0000000000BD0000-0x0000000000BD4000-memory.dmp

Filesize
16KB

Download
memory/856-133-0x0000000002370000-0x0000000002555000-memory.dmp

Filesize
1.9MB

Download
memory/856-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/856-135-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/856-132-0x00000000022A2000-0x0000000002367000-memory.dmp

Filesize
788KB

Download