danabot | 2115604b92baedae0ce00d0999b30ce95ef4b7a500394d93ff0964058564b86f

General

Target

malware_smoke_2685359676.exe
Size

1.0MB
MD5

709ac17aa5df3c0524aea20526c972a8
SHA1

7ca26cff5ad3877c54539b14b85267689e9167b0
SHA256

2115604b92baedae0ce00d0999b30ce95ef4b7a500394d93ff0964058564b86f
SHA512

0f6aa767a8103600b708d5f67b06c0c07c7ee810c30138d63715e3333dc6dd8065cea54992fb7002fff1efb3aa12a3f1b270209f833f579cf8fd40850bc553c4
SSDEEP

24576:Ur9ateFHxSeaj01+U/76idwZmmA2E5R4Fn3Z5Uhp/1fKbEWA:UdHxb801+U/e3A2E5SF3Zqhp1fKb

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 50 IoCs

Processes:

rundll32.exe

flow	pid	process
2	2044	rundll32.exe
4	2044	rundll32.exe
5	2044	rundll32.exe
6	2044	rundll32.exe
7	2044	rundll32.exe
8	2044	rundll32.exe
9	2044	rundll32.exe
10	2044	rundll32.exe
11	2044	rundll32.exe
12	2044	rundll32.exe
13	2044	rundll32.exe
14	2044	rundll32.exe
16	2044	rundll32.exe
17	2044	rundll32.exe
18	2044	rundll32.exe
19	2044	rundll32.exe
20	2044	rundll32.exe
21	2044	rundll32.exe
22	2044	rundll32.exe
23	2044	rundll32.exe
24	2044	rundll32.exe
25	2044	rundll32.exe
26	2044	rundll32.exe
27	2044	rundll32.exe
28	2044	rundll32.exe
29	2044	rundll32.exe
30	2044	rundll32.exe
31	2044	rundll32.exe
32	2044	rundll32.exe
33	2044	rundll32.exe
34	2044	rundll32.exe
35	2044	rundll32.exe
36	2044	rundll32.exe
37	2044	rundll32.exe
38	2044	rundll32.exe
39	2044	rundll32.exe
40	2044	rundll32.exe
41	2044	rundll32.exe
42	2044	rundll32.exe
43	2044	rundll32.exe
44	2044	rundll32.exe
45	2044	rundll32.exe
46	2044	rundll32.exe
47	2044	rundll32.exe
48	2044	rundll32.exe
49	2044	rundll32.exe
50	2044	rundll32.exe
51	2044	rundll32.exe
52	2044	rundll32.exe
53	2044	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_2685359676.exe

description	pid	process	target process
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe
PID 2016 wrote to memory of 2044	2016	malware_smoke_2685359676.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-67-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2016-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-95-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2016-54-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2016-63-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2016-65-0x0000000001F70000-0x0000000002163000-memory.dmp

Filesize
1.9MB

Download
memory/2044-89-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/2044-87-0x0000000000000000-mapping.dmp

Download
memory/2044-58-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/2044-90-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2044-91-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/2044-92-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/2044-93-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/2044-94-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/2044-56-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/2044-96-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing