Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 11:38
Static task
static1
Behavioral task
behavioral1
Sample
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
Resource
win7-20231215-en
General
-
Target
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
-
Size
1.1MB
-
MD5
6b60f7cbc0c04e3110ea9da7f9321fe3
-
SHA1
5051291ed1160c0f5bdd79f1d5706807f2d7512b
-
SHA256
73330db1f35105b797d13d85b7e372cd0fc8a7eab0ed05ba1d864457d0e7666c
-
SHA512
bf61735f3ee94390c69348dbe9c78bc0a1d56e7c64ce2b9ecedd10147ccb6db8aed677f24a8d32fabc8ab308ab33861d4eb383addcc1ec43d7bbcd453b943b0c
-
SSDEEP
24576:RIcECYHIt8+5eZ+conosN6FOf8qtRfJ6a6BPA:RIxvHrSEcJgU8yfJ6NBI
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral2/files/0x0011000000023169-7.dat DanabotLoader2021 behavioral2/files/0x0011000000023169-6.dat DanabotLoader2021 behavioral2/memory/4476-10-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-18-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-19-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-20-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-21-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-22-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-23-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-24-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/4476-25-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 116 4476 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 4476 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6b60f7cbc0c04e3110ea9da7f9321fe3.exedescription pid Process procid_target PID 4784 wrote to memory of 4476 4784 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 56 PID 4784 wrote to memory of 4476 4784 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 56 PID 4784 wrote to memory of 4476 4784 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6B60F7~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4476
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
93KB
MD58c217a66eebaab0e6acce6e35d1c85cf
SHA1d69d186124a89a7e7b2d98c384e26af0d1bb1f66
SHA2562b00f8eb18d41c86f6ab4bb9f6f9e882f01f75026d1b5a4f633284de59089e2d
SHA51204a79545c42651403b10a5be08dcc1529169b40d7a4f02ff51afb22616d4c433e15c3adba2439fb2b0a3240acb38fe0152f583a82532755d44d65b3e661a0fbf