danabot | 2115604b92baedae0ce00d0999b30ce95ef4b7a500394d93ff0964058564b86f

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_2685359676.exe
Size

1.0MB
MD5

709ac17aa5df3c0524aea20526c972a8
SHA1

7ca26cff5ad3877c54539b14b85267689e9167b0
SHA256

2115604b92baedae0ce00d0999b30ce95ef4b7a500394d93ff0964058564b86f
SHA512

0f6aa767a8103600b708d5f67b06c0c07c7ee810c30138d63715e3333dc6dd8065cea54992fb7002fff1efb3aa12a3f1b270209f833f579cf8fd40850bc553c4
SSDEEP

24576:Ur9ateFHxSeaj01+U/76idwZmmA2E5R4Fn3Z5Uhp/1fKbEWA:UdHxb801+U/e3A2E5SF3Zqhp1fKb

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 33 IoCs

Processes:

rundll32.exe

flow	pid	process
13	2260	rundll32.exe
15	2260	rundll32.exe
16	2260	rundll32.exe
22	2260	rundll32.exe
23	2260	rundll32.exe
26	2260	rundll32.exe
34	2260	rundll32.exe
36	2260	rundll32.exe
37	2260	rundll32.exe
40	2260	rundll32.exe
41	2260	rundll32.exe
43	2260	rundll32.exe
44	2260	rundll32.exe
45	2260	rundll32.exe
46	2260	rundll32.exe
47	2260	rundll32.exe
48	2260	rundll32.exe
49	2260	rundll32.exe
50	2260	rundll32.exe
51	2260	rundll32.exe
52	2260	rundll32.exe
53	2260	rundll32.exe
56	2260	rundll32.exe
57	2260	rundll32.exe
58	2260	rundll32.exe
59	2260	rundll32.exe
60	2260	rundll32.exe
61	2260	rundll32.exe
62	2260	rundll32.exe
63	2260	rundll32.exe
64	2260	rundll32.exe
65	2260	rundll32.exe
66	2260	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 780 WerFault.exe malware_smoke_2685359676.exe

pid	pid_target	process	target process
1312	780	WerFault.exe	malware_smoke_2685359676.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

malware_smoke_2685359676.exe

description	pid	process	target process
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe
PID 780 wrote to memory of 2260	780	malware_smoke_2685359676.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 612
2⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 780 -ip 780
1⤵
PID:4640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-132-0x0000000002231000-0x00000000022FB000-memory.dmp

Filesize
808KB

Download
memory/780-133-0x0000000002300000-0x00000000024F3000-memory.dmp

Filesize
1.9MB

Download
memory/780-134-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/780-135-0x0000000002300000-0x00000000024F3000-memory.dmp

Filesize
1.9MB

Download
memory/780-136-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2260-137-0x0000000000000000-mapping.dmp

Download
memory/2260-138-0x0000000000CC0000-0x0000000000CC3000-memory.dmp

Filesize
12KB

Download
memory/2260-139-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

Filesize
12KB

Download
memory/2260-140-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

Filesize
12KB

Download