Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 16:20
Static task
static1
General
-
Target
48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe
-
Size
1.0MB
-
MD5
ade05fb522e755083b91765182a61b3b
-
SHA1
590c4e1c7da966ed3d5e47b373a0b7906926eb64
-
SHA256
48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104
-
SHA512
e6ba593bc31fb568bb8f9f6486ca6f2682dd77f689e9d9c9c9d6dc6d387a265cfe3fd1fc91a6c427e52a89d2c4a9f3fa60c40c023fa47c02c93f46f8b44f5755
Malware Config
Extracted
danabot
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\48A21E~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\48A21E~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\48A21E~1.DLL DanabotLoader2021 behavioral1/memory/1896-120-0x0000000004710000-0x0000000004873000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1896 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1896 rundll32.exe 1896 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exedescription pid process target process PID 1832 wrote to memory of 1896 1832 48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe rundll32.exe PID 1832 wrote to memory of 1896 1832 48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe rundll32.exe PID 1832 wrote to memory of 1896 1832 48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe"C:\Users\Admin\AppData\Local\Temp\48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\48A21E~1.DLL,s C:\Users\Admin\AppData\Local\Temp\48A21E~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\48A21E~1.DLLMD5
2286c9351b1946fe7ec4e567045a332c
SHA1f603c7f6cf3fc134732f6371707ce98c21ae307b
SHA256f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c
SHA51280ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12
-
\Users\Admin\AppData\Local\Temp\48A21E~1.DLLMD5
2286c9351b1946fe7ec4e567045a332c
SHA1f603c7f6cf3fc134732f6371707ce98c21ae307b
SHA256f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c
SHA51280ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12
-
\Users\Admin\AppData\Local\Temp\48A21E~1.DLLMD5
2286c9351b1946fe7ec4e567045a332c
SHA1f603c7f6cf3fc134732f6371707ce98c21ae307b
SHA256f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c
SHA51280ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12
-
memory/1832-115-0x0000000002540000-0x0000000002646000-memory.dmpFilesize
1.0MB
-
memory/1832-121-0x0000000000400000-0x0000000000590000-memory.dmpFilesize
1.6MB
-
memory/1896-116-0x0000000000000000-mapping.dmp
-
memory/1896-120-0x0000000004710000-0x0000000004873000-memory.dmpFilesize
1.4MB