Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 23:51
Behavioral task
behavioral1
Sample
973e243a21c58d1ce53e81b6cfb13f29.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
973e243a21c58d1ce53e81b6cfb13f29.dll
-
Size
1.3MB
-
MD5
973e243a21c58d1ce53e81b6cfb13f29
-
SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6
-
SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3
-
SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe
-
SSDEEP
24576:pcFPyHJP0Mrwfy8uS6pWeiPAEn5OWb/7WdTMQ+J4:KciP/n5ZidTS4
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.124:443
142.11.206.50:443
Attributes
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2288-0-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-1-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-2-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-3-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-4-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-5-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-6-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-7-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-8-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-9-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-10-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-11-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-12-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-13-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 behavioral1/memory/2288-14-0x0000000000690000-0x00000000007EF000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2288 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1 PID 2236 wrote to memory of 2288 2236 rundll32.exe 1
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#11⤵
- Blocklisted process makes network request
PID:2288
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236