danabot | ad48c30022e44f886d8f47c7d598f4169ecb1f8200945b2c3644b9792943b6ac

Analysis

max time kernel
171s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
Size

229KB
MD5

323eec36d438709a3e745d5247cc83e9
SHA1

55b2bd1311736bf3a4125d8dffa69a922d3f75f6
SHA256

77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a
SHA512

eed56a1049498786381070f3ac30f5849a4408b5e9be36e1cc45188e18cd36836e7e67bf13d4882e15ca54e0759ee93bb14b1af880ba8d7c6e783ea6b1114c99
SSDEEP

3072:tb5+USHs19cAqdLzrYrWqXPq6FVrcFep81sX9C/byeD/HPGWF5:tblUsfoLPYrXPrcIp8EtE+

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/4752-133-0x0000000000670000-0x0000000000679000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2360	9CC8.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
4752	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found
2712	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4752	77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	svchost.exe
Token: SeShutdownPrivilege	2232	svchost.exe
Token: SeCreatePagefilePrivilege	2232	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2360	2712	Process not Found	89
PID 2712 wrote to memory of 2360	2712	Process not Found	89
PID 2712 wrote to memory of 2360	2712	Process not Found	89
PID 2360 wrote to memory of 944	2360	9CC8.exe	90
PID 2360 wrote to memory of 944	2360	9CC8.exe	90
PID 2360 wrote to memory of 944	2360	9CC8.exe	90

C:\Users\Admin\AppData\Local\Temp\77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe
"C:\Users\Admin\AppData\Local\Temp\77cb80456d210a88217896c269e59867528f06d7989ef085e450a087d069606a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4752

C:\Users\Admin\AppData\Local\Temp\9CC8.exe
C:\Users\Admin\AppData\Local\Temp\9CC8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x2fc
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9CC8.exe

Filesize
1.3MB

MD5
91d8c482f0eacb0ca88df259b4660ee5

SHA1
db889159be2543dcb00a5243909d050239ca0431

SHA256
1a5400bca4d7b08c9448aad4b1a0b6616b140898a6d79f970757f6c019ad67a1

SHA512
24d904d1488a2eb810d996b24b97afb7d4345331100fdf1a35a7d838e170820889beeecafd0f491d030d2b43c192c322f1bfe5be565c49536a537dcf6d000d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CC8.exe

Filesize
1.3MB

MD5
91d8c482f0eacb0ca88df259b4660ee5

SHA1
db889159be2543dcb00a5243909d050239ca0431

SHA256
1a5400bca4d7b08c9448aad4b1a0b6616b140898a6d79f970757f6c019ad67a1

SHA512
24d904d1488a2eb810d996b24b97afb7d4345331100fdf1a35a7d838e170820889beeecafd0f491d030d2b43c192c322f1bfe5be565c49536a537dcf6d000d30

Download Submit
memory/2360-139-0x0000000000A22000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2360-140-0x0000000002530000-0x00000000027F2000-memory.dmp

Filesize
2.8MB

Download
memory/2360-142-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/2360-143-0x0000000002530000-0x00000000027F2000-memory.dmp

Filesize
2.8MB

Download
memory/4752-132-0x0000000000792000-0x00000000007A3000-memory.dmp

Filesize
68KB

Download
memory/4752-133-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/4752-134-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4752-135-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download