danabot | e10640bc90b1c9fe36be71c79b107140b95a541611358c2627b516f3ae58e397

Analysis

max time kernel
143s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware_smoke_1895150882.exe
Size

1.0MB
MD5

c53c1a89163132347f76dd22ab3741cc
SHA1

026cd76399273a5691555bf058f6b5c0aa56cc50
SHA256

e10640bc90b1c9fe36be71c79b107140b95a541611358c2627b516f3ae58e397
SHA512

4fd035370232c85fb04f0af16742e5ecbb51235a5adfebf2bf2568637a39d2614165274caceaf0bc6cbdaa9fad977a5e7470d55287cc0a1eecde6362175f3864
SSDEEP

24576:JgMcEVieKUHklvhYLSlVf/Ja4rITxX0x8kKMsyNv:JPcAimElw6enTxkx8kK7yN

Score

10^/10

danabot 5 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

23.254.133.7:443

213.227.155.102:443

Attributes

embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 12 IoCs

Processes:

rundll32.exe

flow	pid	process
24	5100	rundll32.exe
33	5100	rundll32.exe
37	5100	rundll32.exe
43	5100	rundll32.exe
45	5100	rundll32.exe
46	5100	rundll32.exe
47	5100	rundll32.exe
49	5100	rundll32.exe
50	5100	rundll32.exe
53	5100	rundll32.exe
54	5100	rundll32.exe
55	5100	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5056 4352 WerFault.exe malware_smoke_1895150882.exe

pid	pid_target	process	target process
5056	4352	WerFault.exe	malware_smoke_1895150882.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

malware_smoke_1895150882.exe

description	pid	process	target process
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe
PID 4352 wrote to memory of 5100	4352	malware_smoke_1895150882.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_1895150882.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1895150882.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 616
2⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4352-132-0x0000000000872000-0x000000000093C000-memory.dmp

Filesize
808KB

Download
memory/4352-133-0x0000000002300000-0x00000000024F3000-memory.dmp

Filesize
1.9MB

Download
memory/4352-134-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/4352-135-0x0000000000872000-0x000000000093C000-memory.dmp

Filesize
808KB

Download
memory/4352-136-0x0000000002300000-0x00000000024F3000-memory.dmp

Filesize
1.9MB

Download
memory/4352-137-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/5100-138-0x0000000000000000-mapping.dmp

Download
memory/5100-139-0x0000000000F40000-0x0000000000F43000-memory.dmp

Filesize
12KB

Download
memory/5100-141-0x0000000000F60000-0x0000000000F63000-memory.dmp

Filesize
12KB

Download
memory/5100-140-0x0000000000F50000-0x0000000000F53000-memory.dmp

Filesize
12KB

Download