Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 22:36
Behavioral task
behavioral1
Sample
05cb16ca310534b01cd97b6bb523439f.dll
Resource
win7-20231129-en
3 signatures
150 seconds
General
-
Target
05cb16ca310534b01cd97b6bb523439f.dll
-
Size
1.3MB
-
MD5
05cb16ca310534b01cd97b6bb523439f
-
SHA1
d143a0200cffa8e3b4feb1f18e8ebcb631a7c902
-
SHA256
4b1af11fe1b731207f32885aa63dd56d905414d257377d46209f0df55bae35c4
-
SHA512
310f1b85081c0c7116b4aab41b519cb2f155d0d074911f31cb4266bfe8fddba291dfc82e216e2d1efd4715b7c9d6df898c3740a5ead6d09eefa8897a2275b003
-
SSDEEP
24576:L8pWEmDXswcrLEEcQ1fObM5HqTgNmsBdMTWnrO:QtSzeTBdMTq
Malware Config
Extracted
Family
danabot
Botnet
4
C2
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Attributes
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 1848 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28 PID 1680 wrote to memory of 1848 1680 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05cb16ca310534b01cd97b6bb523439f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05cb16ca310534b01cd97b6bb523439f.dll,#12⤵
- Blocklisted process makes network request
PID:1848
-