danabot | 5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a

General

Target

ChromeSetup.exe
Size

260KB
MD5

318048af42c5a515d00f888051759aee
SHA1

08f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA256

5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA512

6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
SSDEEP

3072:1XKqvYc10U0hP/6m1h45PssEZL6zXBPRga25dZRsX+Iw3mi03zbu/T0K/:xVH/2P/6m1astL6zXAnOcmi03vu0U

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

C2

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-56-0x00000000001D0000-0x00000000001D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
50	1040	rundll32.exe
53	1040	rundll32.exe
54	1040	rundll32.exe
55	1040	rundll32.exe
56	1040	rundll32.exe
57	1040	rundll32.exe
58	1040	rundll32.exe
59	1040	rundll32.exe
60	1040	rundll32.exe
61	1040	rundll32.exe
62	1040	rundll32.exe
63	1040	rundll32.exe
64	1040	rundll32.exe
65	1040	rundll32.exe
66	1040	rundll32.exe
67	1040	rundll32.exe
68	1040	rundll32.exe
69	1040	rundll32.exe
70	1040	rundll32.exe
71	1040	rundll32.exe
72	1040	rundll32.exe
73	1040	rundll32.exe
74	1040	rundll32.exe
75	1040	rundll32.exe
76	1040	rundll32.exe
77	1040	rundll32.exe
78	1040	rundll32.exe
79	1040	rundll32.exe
80	1040	rundll32.exe
81	1040	rundll32.exe
82	1040	rundll32.exe
83	1040	rundll32.exe
84	1040	rundll32.exe
85	1040	rundll32.exe
86	1040	rundll32.exe
87	1040	rundll32.exe
88	1040	rundll32.exe
91	1040	rundll32.exe
92	1040	rundll32.exe
95	1040	rundll32.exe
96	1040	rundll32.exe
99	1040	rundll32.exe
100	1040	rundll32.exe
101	1040	rundll32.exe
104	1040	rundll32.exe
107	1040	rundll32.exe
108	1040	rundll32.exe
110	1040	rundll32.exe
111	1040	rundll32.exe
112	1040	rundll32.exe
113	1040	rundll32.exe
114	1040	rundll32.exe
115	1040	rundll32.exe
116	1040	rundll32.exe
117	1040	rundll32.exe
118	1040	rundll32.exe
119	1040	rundll32.exe
120	1040	rundll32.exe
121	1040	rundll32.exe
122	1040	rundll32.exe
123	1040	rundll32.exe
124	1040	rundll32.exe
125	1040	rundll32.exe
126	1040	rundll32.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

276F.exeravjgwjravjgwj

pid process

592 276F.exe
628 ravjgwj
268 ravjgwj
Deletes itself 1 IoCs

Processes:

pid process

1296

pid	process
592	276F.exe
628	ravjgwj
268	ravjgwj

pid	process
1296

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChromeSetup.exeravjgwjravjgwj

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ravjgwj

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ChromeSetup.exe

pid	process
1956	ChromeSetup.exe
1956	ChromeSetup.exe
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ChromeSetup.exeravjgwjravjgwj

pid process

1956 ChromeSetup.exe
628 ravjgwj
268 ravjgwj

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1296
Token: SeShutdownPrivilege	1296
Token: SeShutdownPrivilege	1296
Token: SeShutdownPrivilege	1296
Token: SeShutdownPrivilege	1296
Token: SeShutdownPrivilege	1296

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1296
1296
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1296
1296

pid	process
1296
1296

pid	process
1296
1296

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

276F.exetaskeng.exetaskeng.exe

description	pid	process	target process
PID 1296 wrote to memory of 592	1296		276F.exe
PID 1296 wrote to memory of 592	1296		276F.exe
PID 1296 wrote to memory of 592	1296		276F.exe
PID 1296 wrote to memory of 592	1296		276F.exe
PID 592 wrote to memory of 2028	592	276F.exe	AdapterTroubleshooter.exe
PID 592 wrote to memory of 2028	592	276F.exe	AdapterTroubleshooter.exe
PID 592 wrote to memory of 2028	592	276F.exe	AdapterTroubleshooter.exe
PID 592 wrote to memory of 2028	592	276F.exe	AdapterTroubleshooter.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 592 wrote to memory of 1040	592	276F.exe	rundll32.exe
PID 800 wrote to memory of 628	800	taskeng.exe	ravjgwj
PID 800 wrote to memory of 628	800	taskeng.exe	ravjgwj
PID 800 wrote to memory of 628	800	taskeng.exe	ravjgwj
PID 800 wrote to memory of 628	800	taskeng.exe	ravjgwj
PID 1016 wrote to memory of 268	1016	taskeng.exe	ravjgwj
PID 1016 wrote to memory of 268	1016	taskeng.exe	ravjgwj
PID 1016 wrote to memory of 268	1016	taskeng.exe	ravjgwj
PID 1016 wrote to memory of 268	1016	taskeng.exe	ravjgwj

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1956

C:\Users\Admin\AppData\Local\Temp\276F.exe
C:\Users\Admin\AppData\Local\Temp\276F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
2⤵
PID:2028

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1040

C:\Windows\system32\taskeng.exe
taskeng.exe {305DAF32-00A0-46B1-8A97-CD9C42500F42} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Roaming\ravjgwj
C:\Users\Admin\AppData\Roaming\ravjgwj
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:628

C:\Windows\system32\taskeng.exe
taskeng.exe {CD07351F-0B7B-45A5-8CA7-ED812609F875} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Roaming\ravjgwj
C:\Users\Admin\AppData\Roaming\ravjgwj
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\276F.exe
Filesize
1.3MB

MD5
5bca63386bbada2c021da12fae6e0a2b

SHA1
9ac800c5c720e0c4f6a21fdb27211c4a9a875452

SHA256
b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be

SHA512
957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339

Download Submit
C:\Users\Admin\AppData\Roaming\ravjgwj
Filesize
260KB

MD5
318048af42c5a515d00f888051759aee

SHA1
08f02dd5f433599e79b4af8492d764b6cc20ae1d

SHA256
5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a

SHA512
6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e

Download Submit
C:\Users\Admin\AppData\Roaming\ravjgwj
Filesize
260KB

MD5
318048af42c5a515d00f888051759aee

SHA1
08f02dd5f433599e79b4af8492d764b6cc20ae1d

SHA256
5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a

SHA512
6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e

Download Submit
C:\Users\Admin\AppData\Roaming\ravjgwj
Filesize
260KB

MD5
318048af42c5a515d00f888051759aee

SHA1
08f02dd5f433599e79b4af8492d764b6cc20ae1d

SHA256
5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a

SHA512
6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e

Download Submit
memory/268-94-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/268-93-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/268-92-0x000000000308A000-0x000000000309F000-memory.dmp

Filesize
84KB

Download
memory/268-89-0x0000000000000000-mapping.dmp

Download
memory/592-65-0x00000000046C0000-0x000000000498C000-memory.dmp

Filesize
2.8MB

Download
memory/592-64-0x0000000002D40000-0x0000000002E61000-memory.dmp

Filesize
1.1MB

Download
memory/592-80-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/592-66-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/592-67-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/592-68-0x0000000000400000-0x0000000002D3B000-memory.dmp

Filesize
41.2MB

Download
memory/592-61-0x0000000002D40000-0x0000000002E61000-memory.dmp

Filesize
1.1MB

Download
memory/592-59-0x0000000000000000-mapping.dmp

Download
memory/628-88-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/628-87-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/628-86-0x0000000002DDA000-0x0000000002DEF000-memory.dmp

Filesize
84KB

Download
memory/628-83-0x0000000000000000-mapping.dmp

Download
memory/1040-78-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/1040-70-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/1040-75-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/1040-81-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/1040-76-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/1040-77-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1040-79-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/1040-74-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1040-72-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-58-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/1956-57-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/1956-55-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/1956-56-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads