Resubmissions
08-10-2020 10:50
201008-e8qrqmf3ze 1008-10-2020 10:38
201008-88hf9vxww6 1008-10-2020 09:34
201008-pjmzjspx2n 10Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 09:34
Static task
static1
Behavioral task
behavioral1
Sample
dan777.bin.exe
Resource
win7v200722
General
-
Target
dan777.bin.exe
-
Size
2.3MB
-
MD5
565a67a6dff8d567038d9fe8c7fa0024
-
SHA1
a3f8c5b142a8fbeb72664d521dfe91e4939eaffe
-
SHA256
de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698
-
SHA512
f075b5ebf4ff35ce85ba5cf15ebfb3da760a67daa23c294545630c1d1a62d02a5282c5a24b82fd9fc5285ce68b6e6b79185c6e8812e882a058ae3ee3ca555022
Malware Config
Extracted
danabot
73.48.92.89
193.144.40.26
219.30.45.197
95.179.168.37
151.236.14.84
142.181.133.99
234.63.35.120
74.12.197.16
85.229.148.210
117.69.242.3
Signatures
-
Danabot x86 payload 5 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 9 1544 rundll32.exe 10 1544 rundll32.exe 12 1544 rundll32.exe 13 1544 rundll32.exe 14 1544 rundll32.exe 15 1544 rundll32.exe 16 1544 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exerundll32.exepid process 1260 regsvr32.exe 1260 regsvr32.exe 1544 rundll32.exe 1544 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dan777.bin.exeregsvr32.exedescription pid process target process PID 2720 wrote to memory of 1260 2720 dan777.bin.exe regsvr32.exe PID 2720 wrote to memory of 1260 2720 dan777.bin.exe regsvr32.exe PID 2720 wrote to memory of 1260 2720 dan777.bin.exe regsvr32.exe PID 1260 wrote to memory of 1544 1260 regsvr32.exe rundll32.exe PID 1260 wrote to memory of 1544 1260 regsvr32.exe rundll32.exe PID 1260 wrote to memory of 1544 1260 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\dan777.dll f1 C:\Users\Admin\AppData\Local\Temp\DAN777~1.EXE@27202⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\dan777.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
memory/1260-0-0x0000000000000000-mapping.dmp
-
memory/1544-4-0x0000000000000000-mapping.dmp