Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06a6e6cbb43ff9e121bcf5895b399f33.exe
Resource
win7-20231129-en
5 signatures
150 seconds
General
-
Target
06a6e6cbb43ff9e121bcf5895b399f33.exe
-
Size
1.0MB
-
MD5
06a6e6cbb43ff9e121bcf5895b399f33
-
SHA1
87705c6d5d903c00d176f12dc3bf672379e2c232
-
SHA256
b97c821707e93e8e535dc3661098e792d55d493a5edbd3f59bfd559c34d7822d
-
SHA512
45aa27c23f6497777410a2b5e0064bd38c703f36c8930c36b57a7dcd35d5ddb2aaa3f273bb1615261a5d71869c0718b42466e79b44db3d5df8a7c384019e1dc8
-
SSDEEP
24576:18CRHmAGaXRh0sZ20347PYOHEf2P4iV4uoOAbiy:pBmAXfDMDP4ihRAbiy
Malware Config
Extracted
Family
danabot
Botnet
4
C2
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Attributes
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2500-19-0x0000000001FE0000-0x0000000002140000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2500 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid Process 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
06a6e6cbb43ff9e121bcf5895b399f33.exedescription pid Process procid_target PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30 PID 2948 wrote to memory of 2500 2948 06a6e6cbb43ff9e121bcf5895b399f33.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"C:\Users\Admin\AppData\Local\Temp\06a6e6cbb43ff9e121bcf5895b399f33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\06A6E6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\06A6E6~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2500
-