Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-12-2023 22:17
Static task
static1
Behavioral task
behavioral1
Sample
b7be87f68035db926317eb59c289fcd3.exe
Resource
win7-20231215-en
General
-
Target
b7be87f68035db926317eb59c289fcd3.exe
-
Size
1.2MB
-
MD5
b7be87f68035db926317eb59c289fcd3
-
SHA1
186f7e4ea34132f74b556de4aa0bb795fb7c6eab
-
SHA256
641ddfbeb79686d53e97f99b043550cde7d19ef91c6e611f02ad80f33daaf4ad
-
SHA512
305a4fc92f4ca5e4e4956c69ed4f105eb2f2b460a768d9e6ed5790ce31aa2335a8573695803dff2b1ac88356d7b6c3b7a676c8912dbfa0aeca751217481b8eff
-
SSDEEP
12288:rVCb/f147wpOPaTWOSPPwzAXK2PA22zmof8job+hg8njpC2GpldNDtlqiZUBbAcr:Sf147s4yR2Pjgf8sKu7p1q9ACwGBa
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012263-8.dat DanabotLoader2021 behavioral1/memory/2900-10-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-11-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-19-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-20-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-21-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-22-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-23-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-24-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-25-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 behavioral1/memory/2900-26-0x0000000001E90000-0x0000000001FEF000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2900 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2900 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b7be87f68035db926317eb59c289fcd3.exedescription pid Process procid_target PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28 PID 2200 wrote to memory of 2900 2200 b7be87f68035db926317eb59c289fcd3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7be87f68035db926317eb59c289fcd3.exe"C:\Users\Admin\AppData\Local\Temp\b7be87f68035db926317eb59c289fcd3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7BE87~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7BE87~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2900
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537