Analysis
-
max time kernel
135s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 08:21
Static task
static1
General
-
Target
d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe
-
Size
1MB
-
MD5
a012615d823d78cf7ebe845cfc2a2102
-
SHA1
769d1c1dbeb0ab368ed3c094d4a468903e7e1e01
-
SHA256
d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c
-
SHA512
dc6d135d2e6cf6f842e49a93a8a211f3a58c64236a8f8f9bd2bc75cacc64858e1d02c4cd1868fe870ba8d800485cea654551a2214d684b8d10689aee8cd21a5c
Malware Config
Extracted
| Family |
danabot |
| Botnet |
4 |
| C2 |
103.175.16.113:443 103.175.16.114:443 |
| Attributes |
embedded_hash 422236FD601D11EE82825A484D26DD6F
type loader |
| rsa_pubkey.plain |
|
| rsa_privkey.plain |
|
Signatures
-
Danabot Loader Component ⋅ 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x000600000001ab74-119.dat DanabotLoader2021 behavioral1/files/0x000600000001ab74-121.dat DanabotLoader2021 behavioral1/files/0x000600000001ab74-120.dat DanabotLoader2021 behavioral1/memory/3052-122-0x0000000000DE0000-0x0000000000F31000-memory.dmp DanabotLoader2021 -
Loads dropped DLL ⋅ 2 IoCs
Processes:
rundll32.exepid process 3052 rundll32.exe 3052 rundll32.exe -
Suspicious use of WriteProcessMemory ⋅ 3 IoCs
Processes:
d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exedescription pid process target process PID 2152 wrote to memory of 3052 2152 d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe rundll32.exe PID 2152 wrote to memory of 3052 2152 d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe rundll32.exe PID 2152 wrote to memory of 3052 2152 d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exePID:2152"C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exePID:3052C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dll,z C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exeLoads dropped DLL
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dllMD5
719f0c75dccb9ef0718ae6b452ff737d
SHA102944034174a09579f6e2b035823b3204be06db7
SHA2568bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a
SHA512e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f
-
\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dllMD5
719f0c75dccb9ef0718ae6b452ff737d
SHA102944034174a09579f6e2b035823b3204be06db7
SHA2568bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a
SHA512e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f
-
\Users\Admin\AppData\Local\Temp\d8f1186979d8ff54e4d376cae7b5e20100a0b89776201c69514cef044f57bc8c.exe.dllMD5
719f0c75dccb9ef0718ae6b452ff737d
SHA102944034174a09579f6e2b035823b3204be06db7
SHA2568bc0429cbf0a40cec68d709e147a0bd71dc8e5e8c10d4e6386e50a3f4d23e42a
SHA512e789765f94114c213772d951fb61d0aac56b43c91895eb9704e0860764d8a9e61bf2595174452608354b104f511dd4bd34bbaa4e1c4a30663879d84be528ee5f
-
memory/2152-116-0x0000000000A30000-0x0000000000B2D000-memory.dmp
-
memory/2152-115-0x0000000000940000-0x0000000000A25000-memory.dmp
-
memory/2152-117-0x0000000000400000-0x0000000000529000-memory.dmp
-
memory/3052-118-0x0000000000000000-mapping.dmp
-
memory/3052-122-0x0000000000DE0000-0x0000000000F31000-memory.dmp