Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
04-04-2022 16:05
Behavioral task
behavioral1
Sample
cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll
Resource
win10v2004-20220331-en
General
-
Target
cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll
-
Size
1.2MB
-
MD5
01093c63363ec6be6dbceaf560907f7e
-
SHA1
0330c617d7b1a66eb9912c775a23dd1efc0f125a
-
SHA256
cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4
-
SHA512
67c62fa97096051e72869208676b9c0a97026d02095212866b9a04bba42acc3f98d970fed7c76266d2c6d73885d2a954cdd5747cd109dd3cfbc3692cc3168a57
Malware Config
Extracted
danabot
4
66.85.185.120:443
37.220.31.27:443
-
embedded_hash
0B67BD22E198660FB459B076DE202D09
-
type
loader
Signatures
-
Danabot Loader Component 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1360-56-0x0000000000630000-0x0000000000771000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 1360 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 1360 340 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cf22dfd2d88315b9dc292eb0d8f9c87cdf7a422cdd28c5a39361f36fa38a5ab4.dll,#12⤵
- Blocklisted process makes network request