danabot | 11188308a802fdedde930ef0248c8729ae745a37d700c247b860831e80cb382f

General

Target

malware_smoke_1948183113.exe
Size

990KB
MD5

4020602025208f7d60159fed7deaf9e6
SHA1

e511bb17221bf322d43374b32fa976d84be22230
SHA256

11188308a802fdedde930ef0248c8729ae745a37d700c247b860831e80cb382f
SHA512

3455639ee6f2307a082d05157f908b3fbea6f2f76b3a2e6ad90c44bf8c0346608b00507d3d497795f8e70262e25e76ed7b435e73341d69432dbdc64fcd06cfbc
SSDEEP

24576:XJU6CFSVtle0DaUnAFc4ihhN2cXB4G1p6E:ayPdIFct3NtRv

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
38025B93DA95E52B49DBD6CF4413C95E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 46 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1204	rundll32.exe
4	1204	rundll32.exe
5	1204	rundll32.exe
6	1204	rundll32.exe
7	1204	rundll32.exe
8	1204	rundll32.exe
9	1204	rundll32.exe
10	1204	rundll32.exe
11	1204	rundll32.exe
12	1204	rundll32.exe
13	1204	rundll32.exe
14	1204	rundll32.exe
15	1204	rundll32.exe
16	1204	rundll32.exe
18	1204	rundll32.exe
19	1204	rundll32.exe
20	1204	rundll32.exe
21	1204	rundll32.exe
22	1204	rundll32.exe
23	1204	rundll32.exe
24	1204	rundll32.exe
25	1204	rundll32.exe
26	1204	rundll32.exe
27	1204	rundll32.exe
28	1204	rundll32.exe
29	1204	rundll32.exe
30	1204	rundll32.exe
31	1204	rundll32.exe
32	1204	rundll32.exe
33	1204	rundll32.exe
34	1204	rundll32.exe
35	1204	rundll32.exe
36	1204	rundll32.exe
37	1204	rundll32.exe
38	1204	rundll32.exe
39	1204	rundll32.exe
40	1204	rundll32.exe
41	1204	rundll32.exe
42	1204	rundll32.exe
43	1204	rundll32.exe
44	1204	rundll32.exe
45	1204	rundll32.exe
46	1204	rundll32.exe
47	1204	rundll32.exe
48	1204	rundll32.exe
49	1204	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

malware_smoke_1948183113.exe

description	pid	process	target process
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe
PID 1744 wrote to memory of 1204	1744	malware_smoke_1948183113.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1948183113.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1948183113.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-56-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1204-58-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/1204-101-0x0000000000000000-mapping.dmp

Download
memory/1204-104-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1204-103-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1204-106-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1744-54-0x00000000002F0000-0x00000000003B5000-memory.dmp

Filesize
788KB

Download
memory/1744-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1744-94-0x00000000002F0000-0x00000000003B5000-memory.dmp

Filesize
788KB

Download
memory/1744-95-0x0000000001F40000-0x0000000002125000-memory.dmp

Filesize
1.9MB

Download
memory/1744-96-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1744-105-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing