danabot | bde3e0878d5d18e4779720ae17c2af24616ec1e7f2dd30325591916bec38c368

General

Target

malware_smoke_193871350.exe
Size

1.0MB
MD5

d4ec6a8ee6d40ea034dcbb75059154cb
SHA1

4578566122e5df6e565508d675a1f0df8026df84
SHA256

bde3e0878d5d18e4779720ae17c2af24616ec1e7f2dd30325591916bec38c368
SHA512

4d1d38d5a113694ae7e2cc3aa54f339ef42a5e455e07e2e7156bdcdcdc0186923baa963917d1adbf5f9a9dad02be7b8545a02a2a04bd66a75cb5c3c6df55a2a9
SSDEEP

24576:s59pejGNBSEPA9lb+nTdRwH28vzhtXBL3pYSFzCB:Apej8ulSTdRwfhtXBrx

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.129.180:443

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
5C4A9996E213E13DC6AC3BC28C895A29
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
23	4936	rundll32.exe
24	4936	rundll32.exe
25	4936	rundll32.exe
26	4936	rundll32.exe
37	4936	rundll32.exe
38	4936	rundll32.exe
39	4936	rundll32.exe
40	4936	rundll32.exe
41	4936	rundll32.exe
42	4936	rundll32.exe
44	4936	rundll32.exe
45	4936	rundll32.exe
46	4936	rundll32.exe
47	4936	rundll32.exe
50	4936	rundll32.exe
51	4936	rundll32.exe
55	4936	rundll32.exe
56	4936	rundll32.exe
57	4936	rundll32.exe
58	4936	rundll32.exe
59	4936	rundll32.exe
60	4936	rundll32.exe
61	4936	rundll32.exe
62	4936	rundll32.exe
68	4936	rundll32.exe
71	4936	rundll32.exe
72	4936	rundll32.exe
73	4936	rundll32.exe
75	4936	rundll32.exe
76	4936	rundll32.exe
77	4936	rundll32.exe
78	4936	rundll32.exe
79	4936	rundll32.exe
80	4936	rundll32.exe
81	4936	rundll32.exe
82	4936	rundll32.exe
83	4936	rundll32.exe
84	4936	rundll32.exe
85	4936	rundll32.exe
86	4936	rundll32.exe
87	4936	rundll32.exe
88	4936	rundll32.exe
89	4936	rundll32.exe
90	4936	rundll32.exe
91	4936	rundll32.exe
92	4936	rundll32.exe
93	4936	rundll32.exe
94	4936	rundll32.exe
95	4936	rundll32.exe
96	4936	rundll32.exe
97	4936	rundll32.exe
98	4936	rundll32.exe
99	4936	rundll32.exe
100	4936	rundll32.exe
101	4936	rundll32.exe
102	4936	rundll32.exe
103	4936	rundll32.exe
104	4936	rundll32.exe
105	4936	rundll32.exe
106	4936	rundll32.exe
107	4936	rundll32.exe
108	4936	rundll32.exe
109	4936	rundll32.exe
110	4936	rundll32.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1640 4708 WerFault.exe malware_smoke_193871350.exe
4164 4708 WerFault.exe malware_smoke_193871350.exe

pid	pid_target	process	target process
1640	4708	WerFault.exe	malware_smoke_193871350.exe
4164	4708	WerFault.exe	malware_smoke_193871350.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

malware_smoke_193871350.exe

description	pid	process	target process
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe
PID 4708 wrote to memory of 4936	4708	malware_smoke_193871350.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_193871350.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 632
2⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 616
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4708 -ip 4708
1⤵
PID:4516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4708-132-0x00000000022CD000-0x0000000002392000-memory.dmp

Filesize
788KB

Download
memory/4708-133-0x00000000023A0000-0x0000000002585000-memory.dmp

Filesize
1.9MB

Download
memory/4708-134-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4708-135-0x00000000023A0000-0x0000000002585000-memory.dmp

Filesize
1.9MB

Download
memory/4708-136-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4936-137-0x0000000000000000-mapping.dmp

Download
memory/4936-139-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download
memory/4936-138-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/4936-140-0x0000000000700000-0x0000000000703000-memory.dmp

Filesize
12KB

Download
memory/4936-141-0x0000000000710000-0x0000000000713000-memory.dmp

Filesize
12KB

Download
memory/4936-142-0x0000000000720000-0x0000000000723000-memory.dmp

Filesize
12KB

Download
memory/4936-143-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/4936-145-0x0000000000750000-0x0000000000753000-memory.dmp

Filesize
12KB

Download
memory/4936-144-0x0000000000740000-0x0000000000743000-memory.dmp

Filesize
12KB

Download
memory/4936-146-0x0000000000750000-0x0000000000753000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing