Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 13:30
Static task
static1
General
-
Target
fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe
-
Size
1.1MB
-
MD5
a5fb0a37f7ac9d8efe9c6dc4b5075777
-
SHA1
00a4ce2ac284e2cebf56d60398868435fb560cbd
-
SHA256
fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e
-
SHA512
31799ab34f71c93f826bf5a25c1dc149bea00755cc671cde2de9847579bdcdecfce67da17aad4ce1a5578d5fcbe5dba6737471422155dedbd33130572f42d821
Malware Config
Extracted
danabot
4
103.175.16.113:443
103.175.16.114:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll DanabotLoader2021 behavioral1/memory/1000-122-0x0000000000920000-0x0000000000A71000-memory.dmp DanabotLoader2021 -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1000 rundll32.exe 1000 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exedescription pid process target process PID 2444 wrote to memory of 1000 2444 fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe rundll32.exe PID 2444 wrote to memory of 1000 2444 fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe rundll32.exe PID 2444 wrote to memory of 1000 2444 fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe"C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dll,z C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dllMD5
191c50d283bf7567c9f6f6991d16161d
SHA1b396ef81fd678f5bc45970a8172174753ad95aaf
SHA256a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020
SHA5122d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d
-
\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dllMD5
191c50d283bf7567c9f6f6991d16161d
SHA1b396ef81fd678f5bc45970a8172174753ad95aaf
SHA256a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020
SHA5122d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d
-
\Users\Admin\AppData\Local\Temp\fca6217cf8955755dadcff890704ac98883879c24da212b9ef3aaed402e1566e.exe.dllMD5
191c50d283bf7567c9f6f6991d16161d
SHA1b396ef81fd678f5bc45970a8172174753ad95aaf
SHA256a32f46e723b14dcb8a7f19d09845dc36c62836f87f0422efd340d011dfe07020
SHA5122d5961168f532d031e199048823500ad37c2766d2ab19f04774384f262f346588693be54e10fd6482d67987f4ff7a00499a31f511faaffac1ba2f863df48da0d
-
memory/1000-118-0x0000000000000000-mapping.dmp
-
memory/1000-122-0x0000000000920000-0x0000000000A71000-memory.dmpFilesize
1.3MB
-
memory/2444-115-0x0000000000960000-0x0000000000A45000-memory.dmpFilesize
916KB
-
memory/2444-116-0x0000000000A50000-0x0000000000B4D000-memory.dmpFilesize
1012KB
-
memory/2444-117-0x0000000000400000-0x0000000000529000-memory.dmpFilesize
1.2MB