Analysis

  • max time kernel
    145s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 14:00

General

  • Target

    malware_smoke_193871350.exe

  • Size

    1.0MB

  • MD5

    d4ec6a8ee6d40ea034dcbb75059154cb

  • SHA1

    4578566122e5df6e565508d675a1f0df8026df84

  • SHA256

    bde3e0878d5d18e4779720ae17c2af24616ec1e7f2dd30325591916bec38c368

  • SHA512

    4d1d38d5a113694ae7e2cc3aa54f339ef42a5e455e07e2e7156bdcdcdc0186923baa963917d1adbf5f9a9dad02be7b8545a02a2a04bd66a75cb5c3c6df55a2a9

  • SSDEEP

    24576:s59pejGNBSEPA9lb+nTdRwH28vzhtXBL3pYSFzCB:Apej8ulSTdRwfhtXBrx

Score
10/10

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes
  • embedded_hash

    5C4A9996E213E13DC6AC3BC28C895A29

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 64 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe
    "C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Blocklisted process makes network request
      PID:4936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 632
      2⤵
      • Program crash
      PID:1640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 616
      2⤵
      • Program crash
      PID:4164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
    1⤵
      PID:4816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4708 -ip 4708
      1⤵
        PID:4516

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4708-132-0x00000000022CD000-0x0000000002392000-memory.dmp
        Filesize

        788KB

      • memory/4708-133-0x00000000023A0000-0x0000000002585000-memory.dmp
        Filesize

        1.9MB

      • memory/4708-134-0x0000000000400000-0x00000000005F0000-memory.dmp
        Filesize

        1.9MB

      • memory/4708-135-0x00000000023A0000-0x0000000002585000-memory.dmp
        Filesize

        1.9MB

      • memory/4708-136-0x0000000000400000-0x00000000005F0000-memory.dmp
        Filesize

        1.9MB

      • memory/4936-137-0x0000000000000000-mapping.dmp
      • memory/4936-139-0x00000000006F0000-0x00000000006F3000-memory.dmp
        Filesize

        12KB

      • memory/4936-138-0x00000000006E0000-0x00000000006E3000-memory.dmp
        Filesize

        12KB

      • memory/4936-140-0x0000000000700000-0x0000000000703000-memory.dmp
        Filesize

        12KB

      • memory/4936-141-0x0000000000710000-0x0000000000713000-memory.dmp
        Filesize

        12KB

      • memory/4936-142-0x0000000000720000-0x0000000000723000-memory.dmp
        Filesize

        12KB

      • memory/4936-143-0x0000000000730000-0x0000000000733000-memory.dmp
        Filesize

        12KB

      • memory/4936-145-0x0000000000750000-0x0000000000753000-memory.dmp
        Filesize

        12KB

      • memory/4936-144-0x0000000000740000-0x0000000000743000-memory.dmp
        Filesize

        12KB

      • memory/4936-146-0x0000000000750000-0x0000000000753000-memory.dmp
        Filesize

        12KB