danabot | 6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27-10-2022 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
Size

260KB
MD5

0e1fe87be46c53d4ebe64ad3a9bebd26
SHA1

b0e585dc1ae1746bcad3f8c32b8d1487d3a99132
SHA256

6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16
SHA512

cac0e6a7848a1c7c1d1476ffc28ba338e78b0a4d3765c2dc5b2273821078340a71c31e08a27d14e7915764345acdf8c18e3a2de864de1c52d2271d7ed4ac96fc
SSDEEP

6144:eWHs2P/6Whqj2vBLTkKGQQCRTvQl7r0U:egs2P/6WsKBgeRTwA

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-148-0x0000000003060000-0x0000000003069000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

3132.exe

pid process

1096 3132.exe
Deletes itself 1 IoCs

Processes:

pid process

2952

pid	process
1096	3132.exe

pid	process
2952

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe

pid	process
1980	6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
1980	6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2952
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe

pid process

1980 6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2952
Token: SeCreatePagefilePrivilege 2952

pid	process
2952

description	pid	process
Token: SeShutdownPrivilege	2952
Token: SeCreatePagefilePrivilege	2952

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3132.exe

description	pid	process	target process
PID 2952 wrote to memory of 1096	2952		3132.exe
PID 2952 wrote to memory of 1096	2952		3132.exe
PID 2952 wrote to memory of 1096	2952		3132.exe
PID 1096 wrote to memory of 3956	1096	3132.exe	appidtel.exe
PID 1096 wrote to memory of 3956	1096	3132.exe	appidtel.exe
PID 1096 wrote to memory of 3956	1096	3132.exe	appidtel.exe

C:\Users\Admin\AppData\Local\Temp\6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe
"C:\Users\Admin\AppData\Local\Temp\6def751fed7bca16da66d7c1c370d283c8288331641ead7fa599890bc4e5bb16.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1980

C:\Users\Admin\AppData\Local\Temp\3132.exe
C:\Users\Admin\AppData\Local\Temp\3132.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3132.exe
Filesize
1.3MB

MD5
5bca63386bbada2c021da12fae6e0a2b

SHA1
9ac800c5c720e0c4f6a21fdb27211c4a9a875452

SHA256
b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be

SHA512
957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339

Download Submit
C:\Users\Admin\AppData\Local\Temp\3132.exe
Filesize
1.3MB

MD5
5bca63386bbada2c021da12fae6e0a2b

SHA1
9ac800c5c720e0c4f6a21fdb27211c4a9a875452

SHA256
b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be

SHA512
957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339

Download Submit
memory/1096-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-209-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-207-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-206-0x0000000003060000-0x0000000003189000-memory.dmp

Filesize
1.2MB

Download
memory/1096-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-197-0x0000000004AE0000-0x0000000004DAC000-memory.dmp

Filesize
2.8MB

Download
memory/1096-196-0x0000000003060000-0x0000000003189000-memory.dmp

Filesize
1.2MB

Download
memory/1096-190-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-187-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-205-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/1096-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1096-158-0x0000000000000000-mapping.dmp

Download
memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-146-0x0000000002D20000-0x0000000002E6A000-memory.dmp

Filesize
1.3MB

Download
memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-148-0x0000000003060000-0x0000000003069000-memory.dmp

Filesize
36KB

Download
memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-157-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-156-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-193-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-192-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-191-0x0000000000000000-mapping.dmp

Download