danabot | 3f2fa8fca7ba420f027c34c8b64201fa533ca9ddd5c29770d1ae6887543236bb

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_809594919.exe
Size

1011KB
MD5

37d8178ae059b50a0a8f3029aec04dd4
SHA1

ae023282071e3f7dfb66cb2f9023e0878716c29a
SHA256

3f2fa8fca7ba420f027c34c8b64201fa533ca9ddd5c29770d1ae6887543236bb
SHA512

3fb90a11985ac0eea58d57344e095b62c678325961605372fa3f0db2393140128ccd2dac25202e0a345a0ee5b59a559a5a74eb81e753a264a7c1e0a2e7b1f63d
SSDEEP

24576:Vp9jw0ccQSjBeJ90i7KV7rSKNq43UfuaUHOavdLL:+fcru2QKV7rSR4gYL

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 48 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1688	rundll32.exe
4	1688	rundll32.exe
5	1688	rundll32.exe
6	1688	rundll32.exe
7	1688	rundll32.exe
8	1688	rundll32.exe
9	1688	rundll32.exe
10	1688	rundll32.exe
11	1688	rundll32.exe
12	1688	rundll32.exe
13	1688	rundll32.exe
14	1688	rundll32.exe
15	1688	rundll32.exe
17	1688	rundll32.exe
18	1688	rundll32.exe
19	1688	rundll32.exe
20	1688	rundll32.exe
21	1688	rundll32.exe
22	1688	rundll32.exe
23	1688	rundll32.exe
24	1688	rundll32.exe
25	1688	rundll32.exe
26	1688	rundll32.exe
27	1688	rundll32.exe
28	1688	rundll32.exe
29	1688	rundll32.exe
30	1688	rundll32.exe
31	1688	rundll32.exe
32	1688	rundll32.exe
33	1688	rundll32.exe
34	1688	rundll32.exe
35	1688	rundll32.exe
36	1688	rundll32.exe
37	1688	rundll32.exe
38	1688	rundll32.exe
39	1688	rundll32.exe
40	1688	rundll32.exe
41	1688	rundll32.exe
42	1688	rundll32.exe
43	1688	rundll32.exe
44	1688	rundll32.exe
45	1688	rundll32.exe
46	1688	rundll32.exe
47	1688	rundll32.exe
48	1688	rundll32.exe
49	1688	rundll32.exe
50	1688	rundll32.exe
51	1688	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_809594919.exe

description	pid	process	target process
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe
PID 2032 wrote to memory of 1688	2032	malware_smoke_809594919.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_809594919.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_809594919.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-59-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1688-61-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1688-64-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/1688-66-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/2032-54-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download
memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download
memory/2032-57-0x0000000001F60000-0x0000000002153000-memory.dmp

Filesize
1.9MB

Download
memory/2032-58-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2032-65-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download