danabot | db4244833901ba3af6a6067a221158fd6ff5c716cf71d4b793bed6f9f531f823

Analysis

max time kernel
154s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 14:20

Target

malware_smoke_2031282100.exe
Size

1004KB
MD5

f7ca6ae1dc453ec9a38521434cd628f4
SHA1

fc93b89044d8b46b0dcbfbe233938dc8413ec3de
SHA256

db4244833901ba3af6a6067a221158fd6ff5c716cf71d4b793bed6f9f531f823
SHA512

4dab36acc88c07f78f7213b4a31b9c3d00957fb594eae05ec473799bb7514dbf3e7a8925825f77f28955efa0e98e0fa00899a3d1b1996a93c5ae935bd3342688
SSDEEP

24576:ooW6nH8FR0j1LI6FLq4FMHF+wQziDz/Ku7:Q6nrju68NQzumu

Score

10^/10

Family

danabot

Botnet

23.254.133.7:443

213.227.155.102:443

Attributes

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 4916 WerFault.exe malware_smoke_2031282100.exe

pid	pid_target	process	target process
2484	4916	WerFault.exe	malware_smoke_2031282100.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

malware_smoke_2031282100.exe

description	pid	process	target process
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe
PID 4916 wrote to memory of 2012	4916	malware_smoke_2031282100.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\malware_smoke_2031282100.exe
"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2031282100.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 616
2⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4916 -ip 4916
1⤵
PID:3736

memory/2012-135-0x0000000000000000-mapping.dmp

Download
memory/4916-132-0x00000000022CE000-0x0000000002398000-memory.dmp

Filesize
808KB

Download
memory/4916-133-0x00000000023A0000-0x0000000002593000-memory.dmp

Filesize
1.9MB

Download
memory/4916-134-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/4916-136-0x00000000023A0000-0x0000000002593000-memory.dmp

Filesize
1.9MB

Download
memory/4916-137-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download