danabot | 5ddd99e29124b4d53e2601159dac900506af9ecb753950adf336d1fa8b96d4cc

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_2023851858.exe
Size

1.0MB
MD5

9f8317bfddacbaf1f683d0c510eeb3a1
SHA1

f068c51bacb11e40a05cfced8f4d2b5b33968706
SHA256

5ddd99e29124b4d53e2601159dac900506af9ecb753950adf336d1fa8b96d4cc
SHA512

88913e89b9df7b9da1ede38acd782fbc3b61a709ddf54860a0c30afa006241f06464036ea496988cd7d9bd9ccbf77d13671c65f41d50d1910b10e8d8b90d098b
SSDEEP

24576:NnK3WqmTAxH1g+HLP0kc8Pwyh39GzhZNB:o3WqmMnXfc8SP

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
13	1656	rundll32.exe
24	1656	rundll32.exe
25	1656	rundll32.exe
46	1656	rundll32.exe
47	1656	rundll32.exe
52	1656	rundll32.exe
53	1656	rundll32.exe
54	1656	rundll32.exe
55	1656	rundll32.exe
56	1656	rundll32.exe
57	1656	rundll32.exe
58	1656	rundll32.exe
59	1656	rundll32.exe
60	1656	rundll32.exe
61	1656	rundll32.exe
62	1656	rundll32.exe
63	1656	rundll32.exe
64	1656	rundll32.exe
65	1656	rundll32.exe
66	1656	rundll32.exe
67	1656	rundll32.exe
68	1656	rundll32.exe
69	1656	rundll32.exe
70	1656	rundll32.exe
71	1656	rundll32.exe
72	1656	rundll32.exe
73	1656	rundll32.exe
74	1656	rundll32.exe
75	1656	rundll32.exe
76	1656	rundll32.exe
77	1656	rundll32.exe
78	1656	rundll32.exe
79	1656	rundll32.exe
80	1656	rundll32.exe
81	1656	rundll32.exe
82	1656	rundll32.exe
83	1656	rundll32.exe
84	1656	rundll32.exe
85	1656	rundll32.exe
86	1656	rundll32.exe
87	1656	rundll32.exe
88	1656	rundll32.exe
89	1656	rundll32.exe
90	1656	rundll32.exe
91	1656	rundll32.exe
92	1656	rundll32.exe
93	1656	rundll32.exe
94	1656	rundll32.exe
95	1656	rundll32.exe
96	1656	rundll32.exe
97	1656	rundll32.exe
98	1656	rundll32.exe
99	1656	rundll32.exe
100	1656	rundll32.exe
101	1656	rundll32.exe
102	1656	rundll32.exe
103	1656	rundll32.exe
104	1656	rundll32.exe
105	1656	rundll32.exe
106	1656	rundll32.exe
107	1656	rundll32.exe
108	1656	rundll32.exe
109	1656	rundll32.exe
110	1656	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1116 1508 WerFault.exe malware_smoke_2023851858.exe

pid	pid_target	process	target process
1116	1508	WerFault.exe	malware_smoke_2023851858.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

malware_smoke_2023851858.exe

description	pid	process	target process
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe
PID 1508 wrote to memory of 1656	1508	malware_smoke_2023851858.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2023851858.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2023851858.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 608
2⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1508 -ip 1508
1⤵
PID:312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-133-0x0000000002410000-0x00000000025F5000-memory.dmp

Filesize
1.9MB

Download
memory/1508-132-0x0000000000B78000-0x0000000000C3D000-memory.dmp

Filesize
788KB

Download
memory/1508-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1508-138-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1656-135-0x0000000000000000-mapping.dmp

Download
memory/1656-137-0x0000000000EE0000-0x0000000000EE4000-memory.dmp

Filesize
16KB

Download
memory/1656-136-0x0000000000ED0000-0x0000000000ED4000-memory.dmp

Filesize
16KB

Download