Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-06-2022 00:37
Behavioral task
behavioral1
Sample
0x000a000000003c9f-62.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
0x000a000000003c9f-62.dll
-
Size
1.3MB
-
MD5
6b94162340dd76da03497c034c3a8ac4
-
SHA1
a7a7e32c62f1d8f2051e4d6932926d497abcc7cf
-
SHA256
21a3c12fa181861883c4516221330d255674ae7378a7455bda0dcd3eb164f56e
-
SHA512
9a59786d105fde33de629cd88b2d61c8d5b3baa2ee2a28388fb076ea00c26361e374029819512ea080eaeb044adb2666b66b66e301809e8d6676f41163289f64
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.206.50:443
192.236.161.79:443
192.236.146.39:443
37.220.31.27:443
Attributes
-
embedded_hash
7FF0AA10AB3BA961670646D23EAE3911
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 1 IoCs
Processes:
resource yara_rule behavioral1/memory/676-56-0x0000000000A50000-0x0000000000BAF000-memory.dmp DanabotLoader2021 -
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 676 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 676 1968 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-62.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-62.dll,#12⤵
- Blocklisted process makes network request