Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
12-04-2022 12:45
Behavioral task
behavioral1
Sample
44.dll
Resource
win7-20220331-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
44.dll
Resource
win10v2004-20220331-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
44.dll
-
Size
1.3MB
-
MD5
448e479874a145608483ddeba7d1d06d
-
SHA1
8cfc0ad5458037c393cdba199d243b0f16c8c7bd
-
SHA256
c486771dcbb6548bbec5bfaf8de3bc0b8e3d8ddf6aa2cd5a0bd0bd4c638839c5
-
SHA512
0631ccdded071dfe011a3b41af55ecd5853edbe171baed4ced28c497753bb69173a37ebfd50506ad1a41cb6c398cdafee5e8b61b25544b9360856353477c89c3
Malware Config
Extracted
Family
danabot
Botnet
4
C2
5.9.224.204:443
192.210.222.81:443
23.229.29.48:443
Attributes
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-56-0x0000000000720000-0x0000000000881000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 1588 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 1588 1508 rundll32.exe rundll32.exe