danabot | 78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/12/2022, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
Size

214KB
MD5

906d61684a9994d7e338ffbde12a77cc
SHA1

d4e08cd8096504aca9a01dfae631de580b3da365
SHA256

78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250
SHA512

2952dee399886f2b82463eb69eba02b30c29dab0efd1883b826cd2804497fd30b2536cea3cf8d2acb42065be6f3a47dcc567f38917bfdf9b754988f2bf4f9a06
SSDEEP

6144:UkJLPvkxjs9QVO/+ywvE+JHq8TjlVklPH:UkJjcNsuVO/CECflU

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/1004-141-0x00000000001E0000-0x00000000001E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
988	E024.exe

Deletes itself 1 IoCs

pid	Process
2556	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2568	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
1004	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1004	78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 988	2556	Process not Found	66
PID 2556 wrote to memory of 988	2556	Process not Found	66
PID 2556 wrote to memory of 988	2556	Process not Found	66
PID 988 wrote to memory of 2568	988	E024.exe	67
PID 988 wrote to memory of 2568	988	E024.exe	67
PID 988 wrote to memory of 2568	988	E024.exe	67

C:\Users\Admin\AppData\Local\Temp\78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe
"C:\Users\Admin\AppData\Local\Temp\78284c9f117c387050311cd0a08d695ca8b1136b0db2f45397a04f1ac5a9a250.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1004

C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E024.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
  2⤵
  - Loads dropped DLL
  PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E024.exe

Filesize
2.4MB

MD5
73d6902d621eaf39531d4115dd5ec524

SHA1
e9a1c23b79add277750b5063e67544f599cdbe54

SHA256
ca8d37d3714da79fd3a4819840061dc744315738abb6767768ba6adb93f3bc25

SHA512
b66ba42c23bc0e125b2dc341984ab3def9e639a4aa250eadf56bf6e4b4b85861f925e992905f9162f19e5e27b046f4d36464fe11b3bda3473b1a7cae7b9dca07

Download Submit
C:\Users\Admin\AppData\Local\Temp\E024.exe

Filesize
2.4MB

MD5
73d6902d621eaf39531d4115dd5ec524

SHA1
e9a1c23b79add277750b5063e67544f599cdbe54

SHA256
ca8d37d3714da79fd3a4819840061dc744315738abb6767768ba6adb93f3bc25

SHA512
b66ba42c23bc0e125b2dc341984ab3def9e639a4aa250eadf56bf6e4b4b85861f925e992905f9162f19e5e27b046f4d36464fe11b3bda3473b1a7cae7b9dca07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
e4efd81cb4b298c079d3b66d771b55d7

SHA1
c8debc36eed530cf2c22d3f1f5a5ec5ca38a6f67

SHA256
69d293c0aabdefa030e2f9356edbf3334c8d5a93e50b0826724cecfa9b21462e

SHA512
21395cebbb27a607268355e6b778b16764987d47057429dd81859e32aaaddc4c43701af803d571ac02f9eb9870b511a090a84e98a6199ddab93543d830f6f82f

Download Submit
\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

Filesize
2.4MB

MD5
e4efd81cb4b298c079d3b66d771b55d7

SHA1
c8debc36eed530cf2c22d3f1f5a5ec5ca38a6f67

SHA256
69d293c0aabdefa030e2f9356edbf3334c8d5a93e50b0826724cecfa9b21462e

SHA512
21395cebbb27a607268355e6b778b16764987d47057429dd81859e32aaaddc4c43701af803d571ac02f9eb9870b511a090a84e98a6199ddab93543d830f6f82f

Download Submit
memory/988-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-213-0x00000000027A0000-0x0000000002B25000-memory.dmp

Filesize
3.5MB

Download
memory/988-211-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/988-195-0x00000000027A0000-0x0000000002B25000-memory.dmp

Filesize
3.5MB

Download
memory/988-192-0x0000000000CB0000-0x0000000000F00000-memory.dmp

Filesize
2.3MB

Download
memory/988-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/988-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-115-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-141-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1004-152-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1004-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-118-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1004-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-140-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/1004-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-119-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-116-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/1004-117-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2568-262-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/2568-270-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download