danabot | 5ddd99e29124b4d53e2601159dac900506af9ecb753950adf336d1fa8b96d4cc

General

Target

malware_smoke_2023851858.exe
Size

1.0MB
MD5

9f8317bfddacbaf1f683d0c510eeb3a1
SHA1

f068c51bacb11e40a05cfced8f4d2b5b33968706
SHA256

5ddd99e29124b4d53e2601159dac900506af9ecb753950adf336d1fa8b96d4cc
SHA512

88913e89b9df7b9da1ede38acd782fbc3b61a709ddf54860a0c30afa006241f06464036ea496988cd7d9bd9ccbf77d13671c65f41d50d1910b10e8d8b90d098b
SSDEEP

24576:NnK3WqmTAxH1g+HLP0kc8Pwyh39GzhZNB:o3WqmMnXfc8SP

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1260	rundll32.exe
4	1260	rundll32.exe
6	1260	rundll32.exe
7	1260	rundll32.exe
8	1260	rundll32.exe
9	1260	rundll32.exe
10	1260	rundll32.exe
11	1260	rundll32.exe
12	1260	rundll32.exe
13	1260	rundll32.exe
14	1260	rundll32.exe
15	1260	rundll32.exe
16	1260	rundll32.exe
17	1260	rundll32.exe
18	1260	rundll32.exe
19	1260	rundll32.exe
20	1260	rundll32.exe
22	1260	rundll32.exe
23	1260	rundll32.exe
24	1260	rundll32.exe
25	1260	rundll32.exe
26	1260	rundll32.exe
27	1260	rundll32.exe
28	1260	rundll32.exe
29	1260	rundll32.exe
30	1260	rundll32.exe
31	1260	rundll32.exe
32	1260	rundll32.exe
33	1260	rundll32.exe
34	1260	rundll32.exe
35	1260	rundll32.exe
36	1260	rundll32.exe
37	1260	rundll32.exe
38	1260	rundll32.exe
39	1260	rundll32.exe
40	1260	rundll32.exe
41	1260	rundll32.exe
42	1260	rundll32.exe
43	1260	rundll32.exe
44	1260	rundll32.exe
45	1260	rundll32.exe
46	1260	rundll32.exe
47	1260	rundll32.exe
48	1260	rundll32.exe
49	1260	rundll32.exe
50	1260	rundll32.exe
51	1260	rundll32.exe
52	1260	rundll32.exe
53	1260	rundll32.exe
54	1260	rundll32.exe
55	1260	rundll32.exe
56	1260	rundll32.exe
57	1260	rundll32.exe
58	1260	rundll32.exe
59	1260	rundll32.exe
60	1260	rundll32.exe
61	1260	rundll32.exe
62	1260	rundll32.exe
63	1260	rundll32.exe
64	1260	rundll32.exe
65	1260	rundll32.exe
66	1260	rundll32.exe
67	1260	rundll32.exe
68	1260	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

malware_smoke_2023851858.exe

description	pid	process	target process
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe
PID 1392 wrote to memory of 1260	1392	malware_smoke_2023851858.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2023851858.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2023851858.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-59-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1260-61-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download
memory/1260-111-0x0000000000000000-mapping.dmp

Download
memory/1260-114-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1260-113-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1260-116-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1392-54-0x00000000005F0000-0x00000000006B5000-memory.dmp

Filesize
788KB

Download
memory/1392-55-0x00000000005F0000-0x00000000006B5000-memory.dmp

Filesize
788KB

Download
memory/1392-56-0x0000000001EF0000-0x00000000020D5000-memory.dmp

Filesize
1.9MB

Download
memory/1392-57-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1392-58-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1392-115-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing