Analysis
-
max time kernel
199s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 09:06
Behavioral task
behavioral1
Sample
13de044c4ce35f2eded6358956fd001b.dll
Resource
win7-20231215-en
3 signatures
150 seconds
General
-
Target
13de044c4ce35f2eded6358956fd001b.dll
-
Size
1.3MB
-
MD5
13de044c4ce35f2eded6358956fd001b
-
SHA1
bd219d896a2f6ee552335e563fa6f68923fc57fa
-
SHA256
7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d
-
SHA512
cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb
-
SSDEEP
24576:M8FPC2YvWy0u7DQG/XiILgDif2eoWfTis6TeM7Jnx5T:vuKifixTpR/
Malware Config
Extracted
Family
danabot
C2
142.11.206.50:443
142.11.244.124:443
Attributes
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 29 2280 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 388 wrote to memory of 2280 388 rundll32.exe 89 PID 388 wrote to memory of 2280 388 rundll32.exe 89 PID 388 wrote to memory of 2280 388 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13de044c4ce35f2eded6358956fd001b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13de044c4ce35f2eded6358956fd001b.dll,#12⤵
- Blocklisted process makes network request
PID:2280
-