danabot | bde3e0878d5d18e4779720ae17c2af24616ec1e7f2dd30325591916bec38c368

General

Target

malware_smoke_193871350.exe
Size

1.0MB
MD5

d4ec6a8ee6d40ea034dcbb75059154cb
SHA1

4578566122e5df6e565508d675a1f0df8026df84
SHA256

bde3e0878d5d18e4779720ae17c2af24616ec1e7f2dd30325591916bec38c368
SHA512

4d1d38d5a113694ae7e2cc3aa54f339ef42a5e455e07e2e7156bdcdcdc0186923baa963917d1adbf5f9a9dad02be7b8545a02a2a04bd66a75cb5c3c6df55a2a9
SSDEEP

24576:s59pejGNBSEPA9lb+nTdRwH28vzhtXBL3pYSFzCB:Apej8ulSTdRwfhtXBrx

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 54 IoCs

Processes:

rundll32.exe

flow	pid	process
4	1756	rundll32.exe
5	1756	rundll32.exe
6	1756	rundll32.exe
7	1756	rundll32.exe
10	1756	rundll32.exe
11	1756	rundll32.exe
12	1756	rundll32.exe
13	1756	rundll32.exe
14	1756	rundll32.exe
15	1756	rundll32.exe
16	1756	rundll32.exe
17	1756	rundll32.exe
18	1756	rundll32.exe
19	1756	rundll32.exe
20	1756	rundll32.exe
21	1756	rundll32.exe
22	1756	rundll32.exe
23	1756	rundll32.exe
24	1756	rundll32.exe
25	1756	rundll32.exe
26	1756	rundll32.exe
27	1756	rundll32.exe
28	1756	rundll32.exe
29	1756	rundll32.exe
30	1756	rundll32.exe
31	1756	rundll32.exe
32	1756	rundll32.exe
33	1756	rundll32.exe
34	1756	rundll32.exe
35	1756	rundll32.exe
36	1756	rundll32.exe
37	1756	rundll32.exe
38	1756	rundll32.exe
39	1756	rundll32.exe
40	1756	rundll32.exe
41	1756	rundll32.exe
42	1756	rundll32.exe
43	1756	rundll32.exe
44	1756	rundll32.exe
45	1756	rundll32.exe
46	1756	rundll32.exe
47	1756	rundll32.exe
48	1756	rundll32.exe
49	1756	rundll32.exe
50	1756	rundll32.exe
51	1756	rundll32.exe
52	1756	rundll32.exe
53	1756	rundll32.exe
54	1756	rundll32.exe
55	1756	rundll32.exe
56	1756	rundll32.exe
57	1756	rundll32.exe
58	1756	rundll32.exe
59	1756	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_193871350.exe

description	pid	process	target process
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe
PID 604 wrote to memory of 1756	604	malware_smoke_193871350.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-89-0x0000000001F60000-0x0000000002145000-memory.dmp

Filesize
1.9MB

Download
memory/604-90-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/604-54-0x00000000002B0000-0x0000000000375000-memory.dmp

Filesize
788KB

Download
memory/604-57-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/604-58-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/604-55-0x00000000002B0000-0x0000000000375000-memory.dmp

Filesize
788KB

Download
memory/604-56-0x0000000001F60000-0x0000000002145000-memory.dmp

Filesize
1.9MB

Download
memory/1756-59-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1756-61-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1756-91-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/1756-87-0x0000000000000000-mapping.dmp

Download
memory/1756-93-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1756-92-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1756-95-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/1756-94-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1756-96-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1756-97-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing