danabot | 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7

General

Target

malware_smoke_1190770884.exe
Size

1.0MB
MD5

5b64b4c975ff001a2d99bf9b65b4b8bb
SHA1

a234b171340ca47f2a2fba0705911c61416e8985
SHA256

2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
SHA512

7a923c06534c9d29d9911760ad3b3ebd685806ff2cb157a055616532cf7aeabe362005e6ab38d669087b076840d70f77bbd6f14500fc98b56c4f2cbe6856cd5d
SSDEEP

24576:vbahsA6iHbGRj+x7UkpFU/UzPkgSSML3xitJwDSmAESmB:OhsTibGRjM7UkpFRMxqwM

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 49 IoCs

Processes:

rundll32.exe

flow	pid	process
17	208	rundll32.exe
18	208	rundll32.exe
19	208	rundll32.exe
25	208	rundll32.exe
26	208	rundll32.exe
31	208	rundll32.exe
32	208	rundll32.exe
33	208	rundll32.exe
42	208	rundll32.exe
43	208	rundll32.exe
44	208	rundll32.exe
48	208	rundll32.exe
49	208	rundll32.exe
52	208	rundll32.exe
53	208	rundll32.exe
54	208	rundll32.exe
55	208	rundll32.exe
56	208	rundll32.exe
57	208	rundll32.exe
58	208	rundll32.exe
59	208	rundll32.exe
60	208	rundll32.exe
61	208	rundll32.exe
64	208	rundll32.exe
66	208	rundll32.exe
69	208	rundll32.exe
70	208	rundll32.exe
71	208	rundll32.exe
72	208	rundll32.exe
73	208	rundll32.exe
74	208	rundll32.exe
75	208	rundll32.exe
76	208	rundll32.exe
77	208	rundll32.exe
78	208	rundll32.exe
79	208	rundll32.exe
80	208	rundll32.exe
81	208	rundll32.exe
82	208	rundll32.exe
83	208	rundll32.exe
84	208	rundll32.exe
85	208	rundll32.exe
86	208	rundll32.exe
87	208	rundll32.exe
88	208	rundll32.exe
89	208	rundll32.exe
90	208	rundll32.exe
91	208	rundll32.exe
92	208	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3852 856 WerFault.exe malware_smoke_1190770884.exe

pid	pid_target	process	target process
3852	856	WerFault.exe	malware_smoke_1190770884.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

malware_smoke_1190770884.exe

description	pid	process	target process
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe
PID 856 wrote to memory of 208	856	malware_smoke_1190770884.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1190770884.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 608
2⤵
- Program crash
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 856
1⤵
PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-144-0x0000000000B30000-0x0000000000B34000-memory.dmp

Filesize
16KB

Download
memory/208-136-0x0000000000000000-mapping.dmp

Download
memory/208-150-0x0000000000B90000-0x0000000000B94000-memory.dmp

Filesize
16KB

Download
memory/208-151-0x0000000000BA0000-0x0000000000BA4000-memory.dmp

Filesize
16KB

Download
memory/208-145-0x0000000000B40000-0x0000000000B44000-memory.dmp

Filesize
16KB

Download
memory/208-137-0x0000000000AC0000-0x0000000000AC4000-memory.dmp

Filesize
16KB

Download
memory/208-138-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

Filesize
16KB

Download
memory/208-146-0x0000000000B50000-0x0000000000B54000-memory.dmp

Filesize
16KB

Download
memory/208-140-0x0000000000AF0000-0x0000000000AF4000-memory.dmp

Filesize
16KB

Download
memory/208-141-0x0000000000B00000-0x0000000000B04000-memory.dmp

Filesize
16KB

Download
memory/208-142-0x0000000000B10000-0x0000000000B14000-memory.dmp

Filesize
16KB

Download
memory/208-143-0x0000000000B20000-0x0000000000B24000-memory.dmp

Filesize
16KB

Download
memory/208-152-0x0000000000BB0000-0x0000000000BB4000-memory.dmp

Filesize
16KB

Download
memory/208-153-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/208-139-0x0000000000AE0000-0x0000000000AE4000-memory.dmp

Filesize
16KB

Download
memory/208-147-0x0000000000B60000-0x0000000000B64000-memory.dmp

Filesize
16KB

Download
memory/208-148-0x0000000000B70000-0x0000000000B74000-memory.dmp

Filesize
16KB

Download
memory/208-149-0x0000000000B80000-0x0000000000B84000-memory.dmp

Filesize
16KB

Download
memory/208-156-0x0000000000BF0000-0x0000000000BF4000-memory.dmp

Filesize
16KB

Download
memory/208-155-0x0000000000BE0000-0x0000000000BE4000-memory.dmp

Filesize
16KB

Download
memory/208-154-0x0000000000BD0000-0x0000000000BD4000-memory.dmp

Filesize
16KB

Download
memory/856-133-0x0000000002370000-0x0000000002555000-memory.dmp

Filesize
1.9MB

Download
memory/856-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/856-135-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/856-132-0x00000000022A2000-0x0000000002367000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing