danabot | 3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b

General

Target

3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
Size

213KB
MD5

3e23f49eff3b4d6053df76fc0376b927
SHA1

ed5990226d937c0700b8ada712e5d2b2896f04d9
SHA256

3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b
SHA512

9fd7fc065f55ff8538eae5886008e0fc53daf3abfe75fd30b6c97c48e939677d9a39d150953c5bf4727c0929d0d13bdb773ad9b071cb404b7186b1aa7dab9755
SSDEEP

3072:n7u3rHzLeqoGWgR3/0OSEX6JJa3lIIVNRAtOba+De2tVjcbImdzmuX:7u3vLeFG7jX6Da190GTjcbXF

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4992-133-0x00000000005F0000-0x00000000005F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1C71.exefvivrif

pid process

428 1C71.exe
3332 fvivrif
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

760 rundll32.exe
760 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1472 428 WerFault.exe 1C71.exe

pid	process
428	1C71.exe
3332	fvivrif

pid	process
760	rundll32.exe
760	rundll32.exe

pid	pid_target	process	target process
1472	428	WerFault.exe	1C71.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fvivrif3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fvivrif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fvivrif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fvivrif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe

pid	process
4992	3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
4992	3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2620
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exefvivrif

pid process

4992 3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
3332 fvivrif

pid	process
2620

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1C71.exe

description	pid	process	target process
PID 2620 wrote to memory of 428	2620		1C71.exe
PID 2620 wrote to memory of 428	2620		1C71.exe
PID 2620 wrote to memory of 428	2620		1C71.exe
PID 428 wrote to memory of 760	428	1C71.exe	rundll32.exe
PID 428 wrote to memory of 760	428	1C71.exe	rundll32.exe
PID 428 wrote to memory of 760	428	1C71.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe
"C:\Users\Admin\AppData\Local\Temp\3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4992

C:\Users\Admin\AppData\Local\Temp\1C71.exe
C:\Users\Admin\AppData\Local\Temp\1C71.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Loads dropped DLL
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 488
2⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 428 -ip 428
1⤵
PID:4616

C:\Users\Admin\AppData\Roaming\fvivrif
C:\Users\Admin\AppData\Roaming\fvivrif
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1C71.exe
Filesize
2.4MB

MD5
90e31bba0579eef6c26cbc88e32c65e6

SHA1
ecd1c9638264a0bcd9e55488a11b934fbbe58f4b

SHA256
159285b33651bd7a9ae9fa6b7c6975e4df5d980b0c8ae94ee42185824e5e854c

SHA512
a03953d64508dc760b3e6bab2260011e80ebfe42f9bb9138416b54017d328fe8d659f82a9dd5561c6cca74bccaf5ee100123b4cb52d30203252a0e537dd7da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C71.exe
Filesize
2.4MB

MD5
90e31bba0579eef6c26cbc88e32c65e6

SHA1
ecd1c9638264a0bcd9e55488a11b934fbbe58f4b

SHA256
159285b33651bd7a9ae9fa6b7c6975e4df5d980b0c8ae94ee42185824e5e854c

SHA512
a03953d64508dc760b3e6bab2260011e80ebfe42f9bb9138416b54017d328fe8d659f82a9dd5561c6cca74bccaf5ee100123b4cb52d30203252a0e537dd7da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
4d7ad32936d3b12dd06b85d79169e0d3

SHA1
af08899b1d3deb6d15f608859de677232d74b203

SHA256
26aaa7a62b2f91a69c02cadff3c69e1b484fe3658be2183456d9bf4c8a476d1d

SHA512
b4d3e2a22143ec9bab93891b8606ef00d08b7a6746d690e638328ce1fdd9416d285f28fce4a558c29f2404968cb9203038630cc290574150308e2a960e9f418f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
4d7ad32936d3b12dd06b85d79169e0d3

SHA1
af08899b1d3deb6d15f608859de677232d74b203

SHA256
26aaa7a62b2f91a69c02cadff3c69e1b484fe3658be2183456d9bf4c8a476d1d

SHA512
b4d3e2a22143ec9bab93891b8606ef00d08b7a6746d690e638328ce1fdd9416d285f28fce4a558c29f2404968cb9203038630cc290574150308e2a960e9f418f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
4d7ad32936d3b12dd06b85d79169e0d3

SHA1
af08899b1d3deb6d15f608859de677232d74b203

SHA256
26aaa7a62b2f91a69c02cadff3c69e1b484fe3658be2183456d9bf4c8a476d1d

SHA512
b4d3e2a22143ec9bab93891b8606ef00d08b7a6746d690e638328ce1fdd9416d285f28fce4a558c29f2404968cb9203038630cc290574150308e2a960e9f418f

Download Submit
C:\Users\Admin\AppData\Roaming\fvivrif
Filesize
213KB

MD5
3e23f49eff3b4d6053df76fc0376b927

SHA1
ed5990226d937c0700b8ada712e5d2b2896f04d9

SHA256
3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b

SHA512
9fd7fc065f55ff8538eae5886008e0fc53daf3abfe75fd30b6c97c48e939677d9a39d150953c5bf4727c0929d0d13bdb773ad9b071cb404b7186b1aa7dab9755

Download Submit
C:\Users\Admin\AppData\Roaming\fvivrif
Filesize
213KB

MD5
3e23f49eff3b4d6053df76fc0376b927

SHA1
ed5990226d937c0700b8ada712e5d2b2896f04d9

SHA256
3cefa3c1edd161d27545ffef750c266575bf4df100b5b3652f962f082da9b93b

SHA512
9fd7fc065f55ff8538eae5886008e0fc53daf3abfe75fd30b6c97c48e939677d9a39d150953c5bf4727c0929d0d13bdb773ad9b071cb404b7186b1aa7dab9755

Download Submit
memory/428-145-0x0000000002770000-0x0000000002AF5000-memory.dmp

Filesize
3.5MB

Download
memory/428-144-0x0000000002516000-0x0000000002761000-memory.dmp

Filesize
2.3MB

Download
memory/428-146-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/428-136-0x0000000000000000-mapping.dmp

Download
memory/760-139-0x0000000000000000-mapping.dmp

Download
memory/760-143-0x0000000002250000-0x00000000024C1000-memory.dmp

Filesize
2.4MB

Download
memory/760-147-0x0000000002250000-0x00000000024C1000-memory.dmp

Filesize
2.4MB

Download
memory/760-148-0x0000000002250000-0x00000000024C1000-memory.dmp

Filesize
2.4MB

Download
memory/3332-151-0x0000000000708000-0x0000000000718000-memory.dmp

Filesize
64KB

Download
memory/3332-152-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3332-153-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4992-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/4992-132-0x0000000000678000-0x0000000000689000-memory.dmp

Filesize
68KB

Download
memory/4992-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4992-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads