Overview

overview

10

Static

static

b6e3f01f49...f5.exe

windows7-x64

10

b6e3f01f49...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6e3f01f4942008f68c8649fa24daf9ace975ee9e4e47b50611c87414de12ff5.exe

  • Size

    214KB

  • MD5

    59299a2e1bb32ca5875b197e7d2d339f

  • SHA1

    a081d3d73d8c39bf9049632af2a7a3e8a360165c

  • SHA256

    b6e3f01f4942008f68c8649fa24daf9ace975ee9e4e47b50611c87414de12ff5

  • SHA512

    51562dc2e31b65ed77c4a404ab325f28e03d673a95079720be9ac1d43234228f16ddb8f0521fbe7980b2aa96051093037e6502b7dcea0e5244e8c16099928626

  • SSDEEP

    3072:Y3BWLxxIaRRRdZoQt0nemkBAq2muZGVaNRAtOba+A3+9jcbImdzmuX:YRWLxx5Zx0emc/00nQjcbXF

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 19 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6e3f01f4942008f68c8649fa24daf9ace975ee9e4e47b50611c87414de12ff5.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e3f01f4942008f68c8649fa24daf9ace975ee9e4e47b50611c87414de12ff5.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1224
  • C:\Users\Admin\AppData\Local\Temp\E3EC.exe
    C:\Users\Admin\AppData\Local\Temp\E3EC.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14144
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4588
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 528
      2⤵
      • Program crash
      PID:4464
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4820 -ip 4820
    1⤵
      PID:2752
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4612
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:3032
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\main.dll",XxpFeQ==
            2⤵
              PID:4444

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\main.dll
            Filesize

            797KB

            MD5

            773446f9cab4f5fe3addb124be2646fb

            SHA1

            c41fd86a511c40875d4f1febe7957724b8155196

            SHA256

            b9732be4c6cf1e763cdfe2b961b38ef5d6c8fc13fc9c32243c97c787450c9648

            SHA512

            55d92072da6ee855184159a1e8b8377a526b70db961d68e8d3c659c628fddaed02054d101d1f579580f916fef9279c260c8f23affc3c8e2be4d919cc28aa5ed2

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\main.dll
            Filesize

            797KB

            MD5

            773446f9cab4f5fe3addb124be2646fb

            SHA1

            c41fd86a511c40875d4f1febe7957724b8155196

            SHA256

            b9732be4c6cf1e763cdfe2b961b38ef5d6c8fc13fc9c32243c97c787450c9648

            SHA512

            55d92072da6ee855184159a1e8b8377a526b70db961d68e8d3c659c628fddaed02054d101d1f579580f916fef9279c260c8f23affc3c8e2be4d919cc28aa5ed2

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EaseOfAccessSettings2013.xml
            Filesize

            5KB

            MD5

            7ac38dcc72989ac01bd1a67d484af471

            SHA1

            458224b5c1c1696d8255a355a6100a4652fd7bd7

            SHA256

            923335d4d6399bd1bc2d44d264183cba0e2a2c3ecb1d18472003e787275d7e46

            SHA512

            ae5f247648411df8657a2806e5a9ff8e48bf79cf19d2b4101ef67fa78d7b55e37248190ed1d60f58255fe5ceff38017764b0a0d73108150dd4666dde75c0ce14

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            89f321518f776b7d9b94600778f276d1

            SHA1

            7a9cba8fec3b57cc0c7309a7179cb97f634e77dd

            SHA256

            0a022390618e02a7fc42b725a11343221a42657d984e0e25d43a2020f778310e

            SHA512

            afe7829a4bdbf2138d80ea183d26c48faf877bae28f2353461200daa372c2af2a222e449cf7e7f52adafe74666ffc8cd82b48437fce35cd8e030bf52ba194911

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            a91d69f82b31ff9ae57209a867a56f9e

            SHA1

            7b6bd5680a63e3a8d6ad58cbc0949588190910c4

            SHA256

            b95637dc4de3710cf3c6cf343d41eef248b20fad28e3cdf6bdf44273fd44a598

            SHA512

            ad28f2d5b669a20e96dfeaa7c8b39d2dffdea9635a3dde33d0034ea44bd10e56798c6eb0ca470e001c4c0a31182c70d0cd0c5e27f59b39ee10dae229a4acdba7

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MasterDescriptor.en-us.xml
            Filesize

            28KB

            MD5

            4bee7862d96900a7b0f20d709ffe5af2

            SHA1

            59f4073ff756ee74e83e5d9448e7d6da69f3bf08

            SHA256

            526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63

            SHA512

            ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml
            Filesize

            17KB

            MD5

            88edd5a41ab82f584c96038657f61fa0

            SHA1

            7196dd2233a620172932cbe75afc1eae004de540

            SHA256

            fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

            SHA512

            d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SettingsLocationTemplate.xsd
            Filesize

            9KB

            MD5

            f35965aa615dd128c2b95cfe925145c3

            SHA1

            57346050388048feb8034d5011b105018483b4a0

            SHA256

            ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

            SHA512

            82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml
            Filesize

            1KB

            MD5

            52cf638286d2e53bf8536fb9f4d8014d

            SHA1

            da04999d41cd61d6f6bf0dd87d515dcc85d33e29

            SHA256

            c6aea09422e8d810106006e4abe46a68bc918fc2b02ad135c90f68cd648e3b4a

            SHA512

            2398c927e9818ff3bf663463fb12120b4de3fdd9da2da241edefce2f2e5633f94274d66f1299acc13288bf9a7aca5ca40d91528807968227142e7842867012ed

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
            Filesize

            121B

            MD5

            70bdaa5c409965a452e47aa001033c53

            SHA1

            594fad49def244b2a459ddd86bf1763e190917e3

            SHA256

            433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

            SHA512

            62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\E3EC.exe
            Filesize

            1.1MB

            MD5

            0632c99ab43231f1f8b7c7f6bc8e30d8

            SHA1

            ea284fc244536dd7f1ef4990879a554cd1375671

            SHA256

            b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1

            SHA512

            56dc4e12f80d175901acf8be0d3fa9512ce581774caaa6593a49b1369219022ebfa098e1ba47930f7619174f7afa4b0155bcac4d83162841b40899458cd1c643

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\E3EC.exe
            Filesize

            1.1MB

            MD5

            0632c99ab43231f1f8b7c7f6bc8e30d8

            SHA1

            ea284fc244536dd7f1ef4990879a554cd1375671

            SHA256

            b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1

            SHA512

            56dc4e12f80d175901acf8be0d3fa9512ce581774caaa6593a49b1369219022ebfa098e1ba47930f7619174f7afa4b0155bcac4d83162841b40899458cd1c643

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\main.dll
            Filesize

            797KB

            MD5

            773446f9cab4f5fe3addb124be2646fb

            SHA1

            c41fd86a511c40875d4f1febe7957724b8155196

            SHA256

            b9732be4c6cf1e763cdfe2b961b38ef5d6c8fc13fc9c32243c97c787450c9648

            SHA512

            55d92072da6ee855184159a1e8b8377a526b70db961d68e8d3c659c628fddaed02054d101d1f579580f916fef9279c260c8f23affc3c8e2be4d919cc28aa5ed2

            Download Submit

          • memory/1224-134-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/1224-135-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/1224-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/1224-132-0x0000000000649000-0x0000000000659000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3032-172-0x0000000003D90000-0x00000000044B5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3032-163-0x0000000003D90000-0x00000000044B5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4444-171-0x0000000000000000-mapping.dmp

            Download

          • memory/4588-153-0x00007FF608CD6890-mapping.dmp

            Download

          • memory/4588-155-0x0000015A47690000-0x0000015A477D0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4588-154-0x0000015A47690000-0x0000015A477D0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4588-157-0x0000000000390000-0x00000000005A9000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4588-158-0x0000015A477F0000-0x0000015A47A1A000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4820-142-0x00000000020B0000-0x000000000219E000-memory.dmp

            Filesize

            952KB

            Download

          • memory/4820-144-0x0000000000400000-0x0000000000531000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4820-136-0x0000000000000000-mapping.dmp

            Download

          • memory/4820-143-0x00000000023A0000-0x00000000024D0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-148-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-150-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-149-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-159-0x0000000004460000-0x0000000004B85000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4988-147-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-146-0x0000000004460000-0x0000000004B85000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4988-145-0x0000000004460000-0x0000000004B85000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4988-151-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-152-0x0000000004C90000-0x0000000004DD0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4988-139-0x0000000000000000-mapping.dmp

            Download

          • memory/4988-156-0x0000000004D09000-0x0000000004D0B000-memory.dmp

            Filesize

            8KB

            Download