Analysis
-
max time kernel
67s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-09-2022 20:23
Behavioral task
behavioral1
Sample
0x0008000000014544-61.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
0x0008000000014544-61.dll
-
Size
2.4MB
-
MD5
1500e3160f2d7bfde9d368d6865a250e
-
SHA1
afe8d7ad9085cbc7538108546eb9f46d09c040fb
-
SHA256
cbf71553c2dcb2ee0d9ad949877b61151d0374fb9f67cb3c5290d31c63c086dc
-
SHA512
fff78aeb27f33bd64718743c64fd30af2bedd6fa85ada66e7ed3d1de569234b6664bb3bc2d156e507b50f76c5ba80396bc7a51ab7b0e017c81e4f4cb82ee91f9
-
SSDEEP
24576:bvSq2/ajNsIu/45F0gKO8T7xb1oQC10ECAs9AD1PdKoL8GyIXBm3C2hTEN+4FOWT:bqqkrO8T7hgvgGyIEZTE0wOzkd
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.223:443
23.106.122.139:443
Attributes
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-56-0x0000000001FA0000-0x0000000002219000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 1340 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 1340 1652 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x0008000000014544-61.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0x0008000000014544-61.dll,#12⤵
- Blocklisted process makes network request