danabot | 912e48c880423c13566dcee31ceeff8a34a66fcca0745b9645a5ff541f41aff5

General

Target

malware_smoke_2950363636.exe
Size

990KB
MD5

b7a941ccee51c48bd6d1ec4647a84bba
SHA1

6dcad292e3ed53b6c585e349816a0bc1ed6efd89
SHA256

912e48c880423c13566dcee31ceeff8a34a66fcca0745b9645a5ff541f41aff5
SHA512

ee2705dd26dbde88680e20e4dad48ac4b46ec0cda72df2dc7b895d01a64a8d2f02e07e7ce106f80ed876b9ef07a692224e891a129d396711cc98f21ac35c8682
SSDEEP

24576:8BP9QEFEiRKoxL91U0M04Sgkcd4LMnC2:IHFdRKOL92046s4La1

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
38025B93DA95E52B49DBD6CF4413C95E
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 44 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1748	rundll32.exe
4	1748	rundll32.exe
5	1748	rundll32.exe
6	1748	rundll32.exe
7	1748	rundll32.exe
8	1748	rundll32.exe
10	1748	rundll32.exe
11	1748	rundll32.exe
12	1748	rundll32.exe
13	1748	rundll32.exe
14	1748	rundll32.exe
15	1748	rundll32.exe
16	1748	rundll32.exe
17	1748	rundll32.exe
18	1748	rundll32.exe
19	1748	rundll32.exe
20	1748	rundll32.exe
21	1748	rundll32.exe
22	1748	rundll32.exe
23	1748	rundll32.exe
24	1748	rundll32.exe
25	1748	rundll32.exe
26	1748	rundll32.exe
27	1748	rundll32.exe
28	1748	rundll32.exe
29	1748	rundll32.exe
30	1748	rundll32.exe
31	1748	rundll32.exe
32	1748	rundll32.exe
33	1748	rundll32.exe
34	1748	rundll32.exe
35	1748	rundll32.exe
36	1748	rundll32.exe
37	1748	rundll32.exe
38	1748	rundll32.exe
39	1748	rundll32.exe
40	1748	rundll32.exe
41	1748	rundll32.exe
42	1748	rundll32.exe
43	1748	rundll32.exe
44	1748	rundll32.exe
45	1748	rundll32.exe
46	1748	rundll32.exe
47	1748	rundll32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

malware_smoke_2950363636.exe

description	pid	process	target process
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe
PID 1584 wrote to memory of 1748	1584	malware_smoke_2950363636.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2950363636.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2950363636.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-54-0x0000000000320000-0x00000000003E5000-memory.dmp

Filesize
788KB

Download
memory/1584-55-0x0000000000320000-0x00000000003E5000-memory.dmp

Filesize
788KB

Download
memory/1584-56-0x00000000020E0000-0x00000000022C5000-memory.dmp

Filesize
1.9MB

Download
memory/1584-57-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1584-58-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1584-112-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1584-111-0x00000000020E0000-0x00000000022C5000-memory.dmp

Filesize
1.9MB

Download
memory/1748-105-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1748-103-0x0000000000000000-mapping.dmp

Download
memory/1748-106-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1748-107-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/1748-108-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1748-109-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/1748-110-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1748-61-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1748-59-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1748-113-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing