Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 06:48
Behavioral task
behavioral1
Sample
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll
-
Size
507KB
-
MD5
79baa6436ed9504491aef41aa6f27a71
-
SHA1
99a7bfe4263ae5c1b4db5dab6ded5a02843bb12a
-
SHA256
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70
-
SHA512
c7e41359104fda345055f5ed0877da39334a62a598d2c97f38e846f25914afe1c8c0e542a97eba4ec3b9cf3d394bdbff0e0169b395e9a4da9e461cfbb0bdc452
Malware Config
Extracted
Family
danabot
C2
178.24.124.43
36.133.59.144
14.163.25.64
185.92.222.238
49.63.85.120
192.71.249.51
82.153.140.44
142.12.60.159
149.143.255.24
209.79.97.165
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 6 2096 rundll32.exe 18 2096 rundll32.exe 20 2096 rundll32.exe 32 2096 rundll32.exe 36 2096 rundll32.exe 37 2096 rundll32.exe 41 2096 rundll32.exe 42 2096 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4704 wrote to memory of 3756 4704 rundll32.exe rundll32.exe PID 4704 wrote to memory of 3756 4704 rundll32.exe rundll32.exe PID 4704 wrote to memory of 3756 4704 rundll32.exe rundll32.exe PID 3756 wrote to memory of 2096 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 2096 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 2096 3756 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,f03⤵
- Blocklisted process makes network request