danabot | 912e48c880423c13566dcee31ceeff8a34a66fcca0745b9645a5ff541f41aff5

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 13:41

Target

malware_smoke_2950363636.exe
Size

990KB
MD5

b7a941ccee51c48bd6d1ec4647a84bba
SHA1

6dcad292e3ed53b6c585e349816a0bc1ed6efd89
SHA256

912e48c880423c13566dcee31ceeff8a34a66fcca0745b9645a5ff541f41aff5
SHA512

ee2705dd26dbde88680e20e4dad48ac4b46ec0cda72df2dc7b895d01a64a8d2f02e07e7ce106f80ed876b9ef07a692224e891a129d396711cc98f21ac35c8682
SSDEEP

24576:8BP9QEFEiRKoxL91U0M04Sgkcd4LMnC2:IHFdRKOL92046s4La1

Score

10^/10

Family

danabot

Botnet

104.168.167.51:443

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 32 IoCs

Processes:

rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 2724 WerFault.exe malware_smoke_2950363636.exe

pid	pid_target	process	target process
1768	2724	WerFault.exe	malware_smoke_2950363636.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

malware_smoke_2950363636.exe

description	pid	process	target process
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe
PID 2724 wrote to memory of 4600	2724	malware_smoke_2950363636.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2950363636.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2950363636.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 608
2⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2724 -ip 2724
1⤵
PID:1912

memory/2724-132-0x00000000008E4000-0x00000000009A9000-memory.dmp

Filesize
788KB

Download
memory/2724-133-0x00000000023C0000-0x00000000025A5000-memory.dmp

Filesize
1.9MB

Download
memory/2724-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2724-138-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4600-135-0x0000000000000000-mapping.dmp

Download
memory/4600-136-0x00000000004A0000-0x00000000004A3000-memory.dmp

Filesize
12KB

Download
memory/4600-137-0x00000000004B0000-0x00000000004B3000-memory.dmp

Filesize
12KB

Download
memory/4600-139-0x00000000004B0000-0x00000000004B3000-memory.dmp

Filesize
12KB

Download