danabot | d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54

General

Target

d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
Size

383KB
MD5

3924b9589f8ad1ad16fb366b9a4ef019
SHA1

f4d00271273ebba02658fde72f24dd9c3b13cf52
SHA256

d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54
SHA512

1080d569c826c661b1d71fe8e88ec6cdc565cc28ec3dd09c3dbb69d01b721916c7b00bc607c5dee05155e147a558a181442db1c943d6299b19cc13a1af3bd368
SSDEEP

6144:yPxLc89V7HBXHytZGmL4z21hh6K9W9LYRded89kTR:y5o89hhXHQZGo42IK9W9Paw

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
341D2FD1638BB267A80C7445E1909B57
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-133-0x0000000000600000-0x0000000000609000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

EDAC.exe

pid process

3948 EDAC.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4724 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

776 3948 WerFault.exe EDAC.exe

pid	process
3948	EDAC.exe

pid	process
4724	rundll32.exe

pid	pid_target	process	target process
776	3948	WerFault.exe	EDAC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe

pid	process
2768	d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
2768	d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe

pid process

2768 d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe

pid	process
3052

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EDAC.exe

description	pid	process	target process
PID 3052 wrote to memory of 3948	3052		EDAC.exe
PID 3052 wrote to memory of 3948	3052		EDAC.exe
PID 3052 wrote to memory of 3948	3052		EDAC.exe
PID 3948 wrote to memory of 4724	3948	EDAC.exe	rundll32.exe
PID 3948 wrote to memory of 4724	3948	EDAC.exe	rundll32.exe
PID 3948 wrote to memory of 4724	3948	EDAC.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe
"C:\Users\Admin\AppData\Local\Temp\d7b569a977e94f8e8afe1f626dc41021faae0d8e81f6af60691d467ed68dcf54.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2768

C:\Users\Admin\AppData\Local\Temp\EDAC.exe
C:\Users\Admin\AppData\Local\Temp\EDAC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll,start
2⤵
- Loads dropped DLL
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 568
2⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3948 -ip 3948
1⤵
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll
Filesize
2.4MB

MD5
c9fa765dfcc586ca8f019fdedeb765e8

SHA1
c65569f30286e0438fb9f8c75c8b17dfa1c2ac3a

SHA256
8902684f92c2d60d109a710bd7d8a56fa118359f43885b4c5a6f22f9c0d37efc

SHA512
6fd857a3276ed504af4aada7d45b9536f1e622df65e8ea5649612bc27eff5268f26a33862ce04e93915fb181d08ab6ff63c29f703e12927ea8f1baab47e73f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Didddpquafu.dll
Filesize
2.4MB

MD5
c9fa765dfcc586ca8f019fdedeb765e8

SHA1
c65569f30286e0438fb9f8c75c8b17dfa1c2ac3a

SHA256
8902684f92c2d60d109a710bd7d8a56fa118359f43885b4c5a6f22f9c0d37efc

SHA512
6fd857a3276ed504af4aada7d45b9536f1e622df65e8ea5649612bc27eff5268f26a33862ce04e93915fb181d08ab6ff63c29f703e12927ea8f1baab47e73f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAC.exe
Filesize
2.6MB

MD5
09ddecb89fca0343bb42e7fe5fb3d22d

SHA1
c4e17d4dc94bbf8c34eda331fda723e6d947b3cc

SHA256
a1752d44a9fa327b114311a0e2479c1d082d7b746f1c462ad0bcc0a8e4a5a239

SHA512
545fea3301159d1c3c9d7696943d2fd803bccdc723be87c115faecc7263b78222376e0390957186e2b19c206bf51badb45dc8bc40b991fa8eaaf62ebc5f752f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDAC.exe
Filesize
2.6MB

MD5
09ddecb89fca0343bb42e7fe5fb3d22d

SHA1
c4e17d4dc94bbf8c34eda331fda723e6d947b3cc

SHA256
a1752d44a9fa327b114311a0e2479c1d082d7b746f1c462ad0bcc0a8e4a5a239

SHA512
545fea3301159d1c3c9d7696943d2fd803bccdc723be87c115faecc7263b78222376e0390957186e2b19c206bf51badb45dc8bc40b991fa8eaaf62ebc5f752f8

Download Submit
memory/2768-135-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2768-136-0x00000000006C1000-0x00000000006D6000-memory.dmp

Filesize
84KB

Download
memory/2768-133-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2768-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2768-132-0x00000000006C1000-0x00000000006D6000-memory.dmp

Filesize
84KB

Download
memory/3948-137-0x0000000000000000-mapping.dmp

Download
memory/3948-140-0x0000000002511000-0x000000000275D000-memory.dmp

Filesize
2.3MB

Download
memory/3948-141-0x0000000002760000-0x0000000002AE5000-memory.dmp

Filesize
3.5MB

Download
memory/3948-145-0x0000000000400000-0x0000000000792000-memory.dmp

Filesize
3.6MB

Download
memory/3948-146-0x0000000002760000-0x0000000002AE5000-memory.dmp

Filesize
3.5MB

Download
memory/4724-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads