Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 13:27
Static task
static1
Behavioral task
behavioral1
Sample
b19b5a3a677dfb6eb3c6c88bc14328f0.exe
Resource
win7-20231215-en
General
-
Target
b19b5a3a677dfb6eb3c6c88bc14328f0.exe
-
Size
1.1MB
-
MD5
b19b5a3a677dfb6eb3c6c88bc14328f0
-
SHA1
4157b1958b28e24e58cd614c2aa53c20f61d3001
-
SHA256
a4b1ad9683d5208a4cef9cd3aa5a055007e88d9f712163ea599feb23f6f43e0c
-
SHA512
3aae34b63f475a412a3d322cbcbc7da3255079000b6e84a76dbacd8b10d850667e735a45030e839e711b0e5585103814c223bddf70c50c85cac1fdd6c86be09e
-
SSDEEP
24576:5Gsv7UJ0yshakeJYM69TU93f3PaCSMtvBWoLnbrac:JZysBeGPlU9v3PaFMt0+nb
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule behavioral2/memory/5044-9-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/files/0x0008000000016928-8.dat DanabotLoader2021 behavioral2/files/0x0008000000016928-7.dat DanabotLoader2021 behavioral2/files/0x0008000000016928-6.dat DanabotLoader2021 behavioral2/memory/5044-12-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-20-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-21-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-22-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-23-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-24-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-25-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-26-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 behavioral2/memory/5044-27-0x0000000002780000-0x00000000028DF000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 48 5044 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 5044 rundll32.exe 5044 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4972 1640 WerFault.exe 16 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b19b5a3a677dfb6eb3c6c88bc14328f0.exedescription pid Process procid_target PID 1640 wrote to memory of 5044 1640 b19b5a3a677dfb6eb3c6c88bc14328f0.exe 46 PID 1640 wrote to memory of 5044 1640 b19b5a3a677dfb6eb3c6c88bc14328f0.exe 46 PID 1640 wrote to memory of 5044 1640 b19b5a3a677dfb6eb3c6c88bc14328f0.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b19b5a3a677dfb6eb3c6c88bc14328f0.exe"C:\Users\Admin\AppData\Local\Temp\b19b5a3a677dfb6eb3c6c88bc14328f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 4442⤵
- Program crash
PID:4972
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B19B5A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B19B5A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1640 -ip 16401⤵PID:3004
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5b2fc68e88d20d1098a7bb592659acc6b
SHA13043af143463c6d7787fc12f2cbc4616006cbd62
SHA256a33c26dc471374263e3a0c67e0448a15f37db7442d7662d6f6f9394011e4b7ca
SHA512035a7e15e1f8525d5b2b08ec9e61394c685169af9a679d15325c9ebc3e5267384c2d24b8059fa2c27424cced74c5ba40f1e4c063c3a983c56b5466cc55b0b30d
-
Filesize
105KB
MD504dbcc385d12d949e106761d89066e73
SHA1fe5c5667c3f049491fccc857a7f4e284f99699b1
SHA25602cc31ea11c28c8d79b272e451622a10264cf4b08ea26f4e4056a74a30e0053e
SHA5126dd2500de2120029ee83e421a189d56262971643d1f9999c7899a3d2c8ce7689916026d643123e6a9c43a180e098d3a283899addf37e5aa23e3b10c3f032c90a
-
Filesize
132KB
MD550c5f34392f28d6ee7d30b68762b77f5
SHA107a0ae5bfc2a9b2ade6f481a78c04fe6210f9ccb
SHA256bffac2c0d1a37809c7529f5a5104d5799414c45c99ea03aa9ab2bdc383cdd853
SHA5127399d9408cd04871dc7ca5149dfee1c9007009e74bbb8e212d8a69d18d4f91cf82bcbe27d79fafedd37588036e99b7612d9a5bda7dc00d16e25d6d7ae7ebbf9a