danabot | cbced5793450b49eedfaa70e1f569e0d80c336faeac2a5a16a3fc43536b0970d

General

Target

malware_smoke_1300718746.exe
Size

1.0MB
MD5

918be9d668bffdec63f184050d4b2883
SHA1

63adbf4aeeffe68460bf64f4832c6660193e30c0
SHA256

cbced5793450b49eedfaa70e1f569e0d80c336faeac2a5a16a3fc43536b0970d
SHA512

564107fa81f0d20874b1d5a524d9a4eba972803324b284b70d0c01147e657609e3818497dcae66195096f643c4c69fd61e5bc8e3da5ec197d235a780aac7f81d
SSDEEP

24576:ED+Xqsgozyz8SK0jgiQR5nYuuPsYY9h2yLz8iL5RB:Hasnzy3OF3JuPe9wy

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

5

C2

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 46 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1476	rundll32.exe
5	1476	rundll32.exe
6	1476	rundll32.exe
7	1476	rundll32.exe
8	1476	rundll32.exe
9	1476	rundll32.exe
10	1476	rundll32.exe
11	1476	rundll32.exe
13	1476	rundll32.exe
14	1476	rundll32.exe
15	1476	rundll32.exe
16	1476	rundll32.exe
17	1476	rundll32.exe
18	1476	rundll32.exe
19	1476	rundll32.exe
20	1476	rundll32.exe
21	1476	rundll32.exe
22	1476	rundll32.exe
23	1476	rundll32.exe
24	1476	rundll32.exe
25	1476	rundll32.exe
26	1476	rundll32.exe
27	1476	rundll32.exe
28	1476	rundll32.exe
29	1476	rundll32.exe
30	1476	rundll32.exe
31	1476	rundll32.exe
32	1476	rundll32.exe
33	1476	rundll32.exe
34	1476	rundll32.exe
35	1476	rundll32.exe
36	1476	rundll32.exe
37	1476	rundll32.exe
38	1476	rundll32.exe
39	1476	rundll32.exe
40	1476	rundll32.exe
41	1476	rundll32.exe
42	1476	rundll32.exe
43	1476	rundll32.exe
44	1476	rundll32.exe
45	1476	rundll32.exe
46	1476	rundll32.exe
47	1476	rundll32.exe
48	1476	rundll32.exe
49	1476	rundll32.exe
50	1476	rundll32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

malware_smoke_1300718746.exe

description	pid	process	target process
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe
PID 2036 wrote to memory of 1476	2036	malware_smoke_1300718746.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1300718746.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1300718746.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-139-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1476-141-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1476-135-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1476-123-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/1476-124-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/1476-59-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/1476-61-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/1476-121-0x0000000000000000-mapping.dmp

Download
memory/1476-134-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/1476-138-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1476-137-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/1476-136-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/1476-125-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1476-133-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/1476-126-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1476-132-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1476-131-0x0000000000140000-0x0000000000143000-memory.dmp

Filesize
12KB

Download
memory/1476-130-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1476-129-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/1476-128-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/1476-127-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download
memory/2036-55-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download
memory/2036-56-0x0000000001E60000-0x0000000002053000-memory.dmp

Filesize
1.9MB

Download
memory/2036-58-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2036-140-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/2036-54-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing