Analysis
-
max time kernel
162s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 23:51
Behavioral task
behavioral1
Sample
973e243a21c58d1ce53e81b6cfb13f29.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
973e243a21c58d1ce53e81b6cfb13f29.dll
-
Size
1.3MB
-
MD5
973e243a21c58d1ce53e81b6cfb13f29
-
SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6
-
SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3
-
SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe
-
SSDEEP
24576:pcFPyHJP0Mrwfy8uS6pWeiPAEn5OWb/7WdTMQ+J4:KciP/n5ZidTS4
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.124:443
142.11.206.50:443
Attributes
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 14 IoCs
Processes:
resource yara_rule behavioral2/memory/4412-0-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-1-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-2-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-3-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-4-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-5-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-6-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-7-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-8-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-9-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-10-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-11-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-12-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4412-13-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 24 4412 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 3720 wrote to memory of 4412 3720 rundll32.exe 88 PID 3720 wrote to memory of 4412 3720 rundll32.exe 88 PID 3720 wrote to memory of 4412 3720 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#12⤵
- Blocklisted process makes network request
PID:4412
-