Analysis
-
max time kernel
141s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 11:54
Static task
static1
Behavioral task
behavioral1
Sample
1c52aed4df30df05a45966183eeef3c2.exe
Resource
win7-20231215-en
General
-
Target
1c52aed4df30df05a45966183eeef3c2.exe
-
Size
1010KB
-
MD5
1c52aed4df30df05a45966183eeef3c2
-
SHA1
11f350112bdd668b11b2fb3849ef2b0c7c020bb4
-
SHA256
152265b11b39688bfa5dd656dddacf87c01515f70f62aeb3b1406138a77986d5
-
SHA512
7c30a710cdf9e7f7043b1e4a8a9c1af9e2c70570dd428691451f908b0f81f2f4c3c71f691a2174ba339b1b713baa3ace3f65820402a91225387923f848665ab6
-
SSDEEP
24576:Tq/spU59DWkSn/enEYnXnEdI8UkY621c+9ytgYrToZmYyWa8CX:TqN9ahn/0EYnKI84621fq/AcYHg
Malware Config
Extracted
danabot
15
192.52.166.169:443
173.254.204.95:443
192.52.167.45:443
-
embedded_hash
D6A9A294BFDC6F13BFCC2AB0FA9B54B9
-
type
loader
Signatures
-
Danabot Loader Component 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3392-6-0x0000000000CB0000-0x0000000000E0D000-memory.dmp DanabotLoader2021 behavioral2/files/0x000200000001fafe-5.dat DanabotLoader2021 behavioral2/files/0x000200000001fafe-4.dat DanabotLoader2021 behavioral2/files/0x000200000001fafe-3.dat DanabotLoader2021 behavioral2/memory/3392-7-0x0000000000CB0000-0x0000000000E0D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 113 3392 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 3392 rundll32.exe 3392 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1c52aed4df30df05a45966183eeef3c2.exedescription pid Process procid_target PID 3096 wrote to memory of 3392 3096 1c52aed4df30df05a45966183eeef3c2.exe 29 PID 3096 wrote to memory of 3392 3096 1c52aed4df30df05a45966183eeef3c2.exe 29 PID 3096 wrote to memory of 3392 3096 1c52aed4df30df05a45966183eeef3c2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c52aed4df30df05a45966183eeef3c2.exe"C:\Users\Admin\AppData\Local\Temp\1c52aed4df30df05a45966183eeef3c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C52AE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\1C52AE~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3392
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD57ae3a9cbf8042bfec5feaf668b9f0266
SHA169f0130b4ae97ec7431f03828e09848d6f100e0e
SHA2569abb3412942918086f2c968901275bff6ffdfa00b09e3a8bb24cd8b4a1498e3d
SHA512e97c8813c36221d437f0daffbe2ac60d00ffa610780c5c2b2a1fe274a36479f8401787936bb337af0405187c68d47e1e916fa088cfaf9719d6dfc78d914c4731
-
Filesize
240KB
MD5a0d859580c207cce8971fce4f182506f
SHA13f19496d6ecc0479e2fa3a003847e83b4d4eea83
SHA2561bf3e4918cb19698e264aa9c3afdc342ddf9f177408653d7fd56a592fc881e95
SHA512d247fd91e718dc37d947c4b742b40cdf852f6dafa74df66701bef7107da35ba54f61ccee4116204ee79f14a53d636242fefb09475eaadd5ffc8a6649008cda74
-
Filesize
377KB
MD5493cd04f6b883b033e5f7801a214c9dc
SHA1f9fddf5ea2f8824cf7f39ed634a648a8f558f133
SHA256dd115d7ce4e04a8a4edcf9c16314d609861665798c2e93cf63b9454269fc9645
SHA512fd22efcac62f2b6a44775d58e463278f25aff7e11b549501134ba5046f620f638e84881beccc37ae8ee627f1058c7e7052a1fed0e3d84dd41633619fb5c887b4