danabot | 11188308a802fdedde930ef0248c8729ae745a37d700c247b860831e80cb382f

General

Target

malware_smoke_1948183113.exe
Size

990KB
MD5

4020602025208f7d60159fed7deaf9e6
SHA1

e511bb17221bf322d43374b32fa976d84be22230
SHA256

11188308a802fdedde930ef0248c8729ae745a37d700c247b860831e80cb382f
SHA512

3455639ee6f2307a082d05157f908b3fbea6f2f76b3a2e6ad90c44bf8c0346608b00507d3d497795f8e70262e25e76ed7b435e73341d69432dbdc64fcd06cfbc
SSDEEP

24576:XJU6CFSVtle0DaUnAFc4ihhN2cXB4G1p6E:ayPdIFct3NtRv

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
38025B93DA95E52B49DBD6CF4413C95E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exe

flow	pid	process
14	4880	rundll32.exe
15	4880	rundll32.exe
38	4880	rundll32.exe
39	4880	rundll32.exe
55	4880	rundll32.exe
56	4880	rundll32.exe
57	4880	rundll32.exe
58	4880	rundll32.exe
59	4880	rundll32.exe
63	4880	rundll32.exe
64	4880	rundll32.exe
65	4880	rundll32.exe
66	4880	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4792 1680 WerFault.exe malware_smoke_1948183113.exe

pid	pid_target	process	target process
4792	1680	WerFault.exe	malware_smoke_1948183113.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

malware_smoke_1948183113.exe

description	pid	process	target process
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe
PID 1680 wrote to memory of 4880	1680	malware_smoke_1948183113.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1948183113.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1948183113.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 612
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1680 -ip 1680
1⤵
PID:4896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-132-0x0000000000779000-0x000000000083E000-memory.dmp

Filesize
788KB

Download
memory/1680-133-0x00000000023C0000-0x00000000025A5000-memory.dmp

Filesize
1.9MB

Download
memory/1680-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1680-143-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1680-142-0x00000000023C0000-0x00000000025A5000-memory.dmp

Filesize
1.9MB

Download
memory/4880-138-0x0000000000960000-0x0000000000964000-memory.dmp

Filesize
16KB

Download
memory/4880-137-0x0000000000950000-0x0000000000954000-memory.dmp

Filesize
16KB

Download
memory/4880-139-0x0000000000970000-0x0000000000974000-memory.dmp

Filesize
16KB

Download
memory/4880-140-0x0000000000980000-0x0000000000984000-memory.dmp

Filesize
16KB

Download
memory/4880-141-0x0000000000990000-0x0000000000994000-memory.dmp

Filesize
16KB

Download
memory/4880-136-0x0000000000940000-0x0000000000944000-memory.dmp

Filesize
16KB

Download
memory/4880-135-0x0000000000000000-mapping.dmp

Download
memory/4880-144-0x0000000000990000-0x0000000000994000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing