danabot | a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
Size

256KB
MD5

2574df928dade38b6439e14e167d9342
SHA1

f9b0e479f1eb2d9bc8f1420b1577a1b75ef2a0f2
SHA256

a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30
SHA512

dfa32412b37773051c4251165a01e965617794b2844e9fa0aa789c71995d5b97d19e4e09a173571a5f7890d87ab7a053864a0abf1ee72cc3acfeaa97e98ff3b0
SSDEEP

6144:d3qGs1pM/PcECggm/aqQ4BqWE4aJ2QI1E:d3O1pEkiCfb/2QIy

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/4368-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 18 IoCs

flow	pid	Process
74	2700	rundll32.exe
75	2700	rundll32.exe
76	2700	rundll32.exe
77	2700	rundll32.exe
78	2700	rundll32.exe
79	2700	rundll32.exe
80	2700	rundll32.exe
81	2700	rundll32.exe
82	2700	rundll32.exe
83	2700	rundll32.exe
84	2700	rundll32.exe
85	2700	rundll32.exe
86	2700	rundll32.exe
87	2700	rundll32.exe
88	2700	rundll32.exe
89	2700	rundll32.exe
90	2700	rundll32.exe
91	2700	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3388	396F.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1144	3388	WerFault.exe	88

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
4368	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found
3056	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4368	a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	372	svchost.exe
Token: SeShutdownPrivilege	372	svchost.exe
Token: SeCreatePagefilePrivilege	372	svchost.exe
Token: SeShutdownPrivilege	3056	Process not Found
Token: SeCreatePagefilePrivilege	3056	Process not Found

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3388	3056	Process not Found	88
PID 3056 wrote to memory of 3388	3056	Process not Found	88
PID 3056 wrote to memory of 3388	3056	Process not Found	88
PID 3388 wrote to memory of 1344	3388	396F.exe	89
PID 3388 wrote to memory of 1344	3388	396F.exe	89
PID 3388 wrote to memory of 1344	3388	396F.exe	89
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94
PID 3388 wrote to memory of 2700	3388	396F.exe	94

C:\Users\Admin\AppData\Local\Temp\a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe
"C:\Users\Admin\AppData\Local\Temp\a3b093b598745be3ab996c93644a3f253c3e8e35b1b6aebb598c3144f8ac2d30.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4368

C:\Users\Admin\AppData\Local\Temp\396F.exe
C:\Users\Admin\AppData\Local\Temp\396F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:1344
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 624
  2⤵
  - Program crash
  PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x518
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3388 -ip 3388
1⤵
PID:3456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\396F.exe

Filesize
1.3MB

MD5
b17cbffa171dae3d2a741c8471f1a44c

SHA1
dc1f7c3e4e4229233bc8f40caceb6aac3f00e48c

SHA256
4c70eaca38a7119e392eb0007dff27793fcaab04d1273b9dc371149f489ca11c

SHA512
f424e45bca054e17b321972e197cc85b924b8c774f338581446d46afd818c7f66fd49424ace747d8e466a1b588218c3b5c9df187aa7d2abd3a152c54094b23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\396F.exe

Filesize
1.3MB

MD5
b17cbffa171dae3d2a741c8471f1a44c

SHA1
dc1f7c3e4e4229233bc8f40caceb6aac3f00e48c

SHA256
4c70eaca38a7119e392eb0007dff27793fcaab04d1273b9dc371149f489ca11c

SHA512
f424e45bca054e17b321972e197cc85b924b8c774f338581446d46afd818c7f66fd49424ace747d8e466a1b588218c3b5c9df187aa7d2abd3a152c54094b23fe

Download Submit
memory/2700-147-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/2700-153-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/2700-151-0x0000000000640000-0x0000000000643000-memory.dmp

Filesize
12KB

Download
memory/2700-149-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/2700-150-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/2700-148-0x0000000000610000-0x0000000000613000-memory.dmp

Filesize
12KB

Download
memory/3388-140-0x0000000003080000-0x00000000031A1000-memory.dmp

Filesize
1.1MB

Download
memory/3388-143-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/3388-144-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/3388-145-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/3388-142-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/3388-141-0x0000000004B50000-0x0000000004E1C000-memory.dmp

Filesize
2.8MB

Download
memory/3388-152-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/4368-132-0x0000000002F22000-0x0000000002F37000-memory.dmp

Filesize
84KB

Download
memory/4368-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4368-134-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4368-135-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download