Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    182s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd.exe

  • Size

    382KB

  • MD5

    bfdab4f18772cdd4872c99deae3a429e

  • SHA1

    37c4606445870ec22fa03751e7273bb388b2df45

  • SHA256

    a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd

  • SHA512

    e9f054f2a220164269f488a47adfdc35e21302fe59452d732d6a7cb8e7ce6e30baa9696de06f77989e95ae5345fa790a3890e367065233b70fb2bc4445fd9afa

  • SSDEEP

    6144:3kDLlowxxoIRBDDkK61whwhh6K9W9Cbtded89kTt:34Bow39RB3J6RIK9W9pac

Score
10/10
danabotsmokeloaderbackdoorbankertrojan

Malware Config

Extracted

Family

danabot

Attributes
  • embedded_hash

    341D2FD1638BB267A80C7445E1909B57

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd.exe
    "C:\Users\Admin\AppData\Local\Temp\a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:920
  • C:\Users\Admin\AppData\Roaming\efgwsii
    C:\Users\Admin\AppData\Roaming\efgwsii
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:2428
  • C:\Users\Admin\AppData\Local\Temp\877B.exe
    C:\Users\Admin\AppData\Local\Temp\877B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll,start
      2⤵
      • Loads dropped DLL
      PID:5028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 620
      2⤵
      • Program crash
      PID:4196
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4524 -ip 4524
    1⤵
      PID:1844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\877B.exe
      Filesize

      2.6MB

      MD5

      e7d4b22745e2ac7b9057ddb0d8be5ab6

      SHA1

      adf825132fe114caff00de8f4b91f2e2b8c0d577

      SHA256

      1c2d3e3a602530705040873f42a3bf8b93e711b28d122087c48cd0a839a49bc3

      SHA512

      62a3e04dedd7adb38678d956e19b37f5105b9bf29400f6bc42772ed6237136cd5b82a70abf89f8af28ee59ac9d150e7ddd320f7740a02ca59a9bf011cd8e98f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\877B.exe
      Filesize

      2.6MB

      MD5

      e7d4b22745e2ac7b9057ddb0d8be5ab6

      SHA1

      adf825132fe114caff00de8f4b91f2e2b8c0d577

      SHA256

      1c2d3e3a602530705040873f42a3bf8b93e711b28d122087c48cd0a839a49bc3

      SHA512

      62a3e04dedd7adb38678d956e19b37f5105b9bf29400f6bc42772ed6237136cd5b82a70abf89f8af28ee59ac9d150e7ddd320f7740a02ca59a9bf011cd8e98f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll
      Filesize

      2.4MB

      MD5

      f51add44409384c37f9f6713a3da86b0

      SHA1

      d07c4b571a27a5cd4b9134c916f960eaa67b112c

      SHA256

      737219233901831c88d5ba9ca5571cf569fd22872c01086f95811a20e7a01679

      SHA512

      76a849d942e6719e6c795fd82468eb10847df006f1baee4d717bee0c5436590d8dcf4a5d1a1c39a1919f8811037e61dbf4799c797be878b064ad8b9f3fdc9d85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll
      Filesize

      2.4MB

      MD5

      f51add44409384c37f9f6713a3da86b0

      SHA1

      d07c4b571a27a5cd4b9134c916f960eaa67b112c

      SHA256

      737219233901831c88d5ba9ca5571cf569fd22872c01086f95811a20e7a01679

      SHA512

      76a849d942e6719e6c795fd82468eb10847df006f1baee4d717bee0c5436590d8dcf4a5d1a1c39a1919f8811037e61dbf4799c797be878b064ad8b9f3fdc9d85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll
      Filesize

      2.4MB

      MD5

      f51add44409384c37f9f6713a3da86b0

      SHA1

      d07c4b571a27a5cd4b9134c916f960eaa67b112c

      SHA256

      737219233901831c88d5ba9ca5571cf569fd22872c01086f95811a20e7a01679

      SHA512

      76a849d942e6719e6c795fd82468eb10847df006f1baee4d717bee0c5436590d8dcf4a5d1a1c39a1919f8811037e61dbf4799c797be878b064ad8b9f3fdc9d85

      Download Submit
    • C:\Users\Admin\AppData\Roaming\efgwsii
      Filesize

      382KB

      MD5

      bfdab4f18772cdd4872c99deae3a429e

      SHA1

      37c4606445870ec22fa03751e7273bb388b2df45

      SHA256

      a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd

      SHA512

      e9f054f2a220164269f488a47adfdc35e21302fe59452d732d6a7cb8e7ce6e30baa9696de06f77989e95ae5345fa790a3890e367065233b70fb2bc4445fd9afa

      Download Submit
    • C:\Users\Admin\AppData\Roaming\efgwsii
      Filesize

      382KB

      MD5

      bfdab4f18772cdd4872c99deae3a429e

      SHA1

      37c4606445870ec22fa03751e7273bb388b2df45

      SHA256

      a5b8a26e9a16c31c4e6cbec34860b681d59c86e18b69a35438b4b8e1eeed73bd

      SHA512

      e9f054f2a220164269f488a47adfdc35e21302fe59452d732d6a7cb8e7ce6e30baa9696de06f77989e95ae5345fa790a3890e367065233b70fb2bc4445fd9afa

      Download Submit
    • memory/920-135-0x0000000000547000-0x000000000055D000-memory.dmp
      Filesize

      88KB

      Download
    • memory/920-132-0x0000000000547000-0x000000000055D000-memory.dmp
      Filesize

      88KB

      Download
    • memory/920-136-0x0000000000400000-0x0000000000466000-memory.dmp
      Filesize

      408KB

      Download
    • memory/920-134-0x0000000000400000-0x0000000000466000-memory.dmp
      Filesize

      408KB

      Download
    • memory/920-133-0x0000000000500000-0x0000000000509000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2428-140-0x0000000000400000-0x0000000000466000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2428-141-0x0000000000400000-0x0000000000466000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2428-139-0x00000000006B7000-0x00000000006CC000-memory.dmp
      Filesize

      84KB

      Download
    • memory/4524-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4524-148-0x0000000000400000-0x0000000000792000-memory.dmp
      Filesize

      3.6MB

      Download
    • memory/4524-146-0x00000000026C0000-0x0000000002A45000-memory.dmp
      Filesize

      3.5MB

      Download
    • memory/4524-145-0x0000000000BD2000-0x0000000000E1D000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/4524-153-0x00000000026C0000-0x0000000002A45000-memory.dmp
      Filesize

      3.5MB

      Download
    • memory/4524-154-0x0000000000400000-0x0000000000792000-memory.dmp
      Filesize

      3.6MB

      Download
    • memory/5028-147-0x0000000000000000-mapping.dmp
      Download
    • memory/5028-152-0x00000000021C0000-0x0000000002431000-memory.dmp
      Filesize

      2.4MB

      Download