Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-01-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
4ecba4ce64055cdb334347082b8760bb.exe
Resource
win7-en-20211208
General
-
Target
4ecba4ce64055cdb334347082b8760bb.exe
-
Size
1.1MB
-
MD5
4ecba4ce64055cdb334347082b8760bb
-
SHA1
24c2a2aba3bfefb3c6b2fd9844778dae2b505ec4
-
SHA256
80221beedf16097e3e36392e13b3bae27a6cf0d0190987ca98c72f3e8a3c4ab4
-
SHA512
1440ceeb38b297a1f7f052ec23e3f724b9cef9e60ff44ec98fa564b10f62657c7c1d6c8170c3da56f8081214df187fbc078ae471dded866632386dc0b59c3a52
Malware Config
Extracted
danabot
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll DanabotLoader2021 behavioral1/memory/1728-64-0x00000000009C0000-0x0000000000B11000-memory.dmp DanabotLoader2021 -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe 1728 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4ecba4ce64055cdb334347082b8760bb.exedescription pid process target process PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe PID 1632 wrote to memory of 1728 1632 4ecba4ce64055cdb334347082b8760bb.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe"C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dll,z C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dllMD5
3e752b0e006bec21e56deddc42f3d02b
SHA1587d75ccc1593b06ce443eec886b28f7e6808186
SHA2563369b73e204aadd3507791a55aa743c6c097b754b2768de23184dc3757a6477b
SHA5124635a7dd7860a2fa7d58c5883850cb19fe668edeb51397257743e2d1ce0e182ba78e4974a36a6a7ae512ebad993585515cd4ace8c76aac4b322dca42174fa683
-
\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dllMD5
3e752b0e006bec21e56deddc42f3d02b
SHA1587d75ccc1593b06ce443eec886b28f7e6808186
SHA2563369b73e204aadd3507791a55aa743c6c097b754b2768de23184dc3757a6477b
SHA5124635a7dd7860a2fa7d58c5883850cb19fe668edeb51397257743e2d1ce0e182ba78e4974a36a6a7ae512ebad993585515cd4ace8c76aac4b322dca42174fa683
-
\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dllMD5
3e752b0e006bec21e56deddc42f3d02b
SHA1587d75ccc1593b06ce443eec886b28f7e6808186
SHA2563369b73e204aadd3507791a55aa743c6c097b754b2768de23184dc3757a6477b
SHA5124635a7dd7860a2fa7d58c5883850cb19fe668edeb51397257743e2d1ce0e182ba78e4974a36a6a7ae512ebad993585515cd4ace8c76aac4b322dca42174fa683
-
\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dllMD5
3e752b0e006bec21e56deddc42f3d02b
SHA1587d75ccc1593b06ce443eec886b28f7e6808186
SHA2563369b73e204aadd3507791a55aa743c6c097b754b2768de23184dc3757a6477b
SHA5124635a7dd7860a2fa7d58c5883850cb19fe668edeb51397257743e2d1ce0e182ba78e4974a36a6a7ae512ebad993585515cd4ace8c76aac4b322dca42174fa683
-
\Users\Admin\AppData\Local\Temp\4ecba4ce64055cdb334347082b8760bb.exe.dllMD5
3e752b0e006bec21e56deddc42f3d02b
SHA1587d75ccc1593b06ce443eec886b28f7e6808186
SHA2563369b73e204aadd3507791a55aa743c6c097b754b2768de23184dc3757a6477b
SHA5124635a7dd7860a2fa7d58c5883850cb19fe668edeb51397257743e2d1ce0e182ba78e4974a36a6a7ae512ebad993585515cd4ace8c76aac4b322dca42174fa683
-
memory/1632-53-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1632-54-0x0000000004550000-0x0000000004635000-memory.dmpFilesize
916KB
-
memory/1632-55-0x0000000004640000-0x000000000473C000-memory.dmpFilesize
1008KB
-
memory/1632-56-0x0000000000400000-0x0000000002C5B000-memory.dmpFilesize
40.4MB
-
memory/1728-57-0x0000000000000000-mapping.dmp
-
memory/1728-64-0x00000000009C0000-0x0000000000B11000-memory.dmpFilesize
1.3MB