danabot | db6cb279687271bd10869c3adc5c1a088e5646888eb40b99727ff50e520c4273

General

Target

malware_smoke_2637256550.exe
Size

996KB
MD5

787518326366c6a091ae2dcfa8366863
SHA1

44123f51e2c418873d3b044a844227b56d8752aa
SHA256

db6cb279687271bd10869c3adc5c1a088e5646888eb40b99727ff50e520c4273
SHA512

c8abe9ca1d7b33dda78b7b7794dec3a68621fd9a101ed3763c5265b75711dec12ae0e4d7016d476511de20b32e607bfec50349fe611a1dddbb6534cdc00238a6
SSDEEP

24576:c97OWzmUPHZOsjPKMLzrWAFICOxa2w9Np:azrPHvjPPLzrfp4

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

192.236.160.244:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
CA3B5B378FAA92E7051F984E02120FDD
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 39 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1948	rundll32.exe
5	1948	rundll32.exe
6	1948	rundll32.exe
7	1948	rundll32.exe
8	1948	rundll32.exe
10	1948	rundll32.exe
11	1948	rundll32.exe
12	1948	rundll32.exe
13	1948	rundll32.exe
14	1948	rundll32.exe
15	1948	rundll32.exe
16	1948	rundll32.exe
17	1948	rundll32.exe
18	1948	rundll32.exe
19	1948	rundll32.exe
20	1948	rundll32.exe
21	1948	rundll32.exe
22	1948	rundll32.exe
23	1948	rundll32.exe
24	1948	rundll32.exe
25	1948	rundll32.exe
26	1948	rundll32.exe
27	1948	rundll32.exe
28	1948	rundll32.exe
29	1948	rundll32.exe
30	1948	rundll32.exe
31	1948	rundll32.exe
32	1948	rundll32.exe
33	1948	rundll32.exe
34	1948	rundll32.exe
35	1948	rundll32.exe
36	1948	rundll32.exe
37	1948	rundll32.exe
38	1948	rundll32.exe
39	1948	rundll32.exe
40	1948	rundll32.exe
41	1948	rundll32.exe
42	1948	rundll32.exe
45	1948	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_2637256550.exe

description	pid	process	target process
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe
PID 1612 wrote to memory of 1948	1612	malware_smoke_2637256550.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2637256550.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2637256550.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-54-0x0000000000220000-0x00000000002E7000-memory.dmp

Filesize
796KB

Download
memory/1612-55-0x0000000000220000-0x00000000002E7000-memory.dmp

Filesize
796KB

Download
memory/1612-56-0x0000000001F80000-0x0000000002169000-memory.dmp

Filesize
1.9MB

Download
memory/1612-57-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/1612-58-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-96-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/1612-95-0x0000000001F80000-0x0000000002169000-memory.dmp

Filesize
1.9MB

Download
memory/1948-90-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1948-87-0x0000000000000000-mapping.dmp

Download
memory/1948-89-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1948-91-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1948-92-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1948-93-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/1948-94-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1948-61-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1948-59-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1948-97-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing