Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 20:22
Static task
static1
Behavioral task
behavioral1
Sample
02f6cd0c20673f819bba4b21f4d30d44.exe
Resource
win7-20231129-en
General
-
Target
02f6cd0c20673f819bba4b21f4d30d44.exe
-
Size
1.2MB
-
MD5
02f6cd0c20673f819bba4b21f4d30d44
-
SHA1
fbc98200bb30e5fd14b547dc75311f683ae0c875
-
SHA256
463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f
-
SHA512
be485b4aed3fe843787d7a944698a4a1d0f0ad7347b0117ad77eccc3539523b4082bb913510d9b4225170108ba0579b074a229974369cf61e2c1c08fc320a66f
-
SSDEEP
24576:w6TleADmI4T1kagXHq96dUEcZeN8VTbmH:LlI1kagFUEcZeOtm
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1640-9-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/files/0x000b0000000139e0-8.dat DanabotLoader2021 behavioral1/files/0x000b0000000139e0-7.dat DanabotLoader2021 behavioral1/memory/1640-12-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-20-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-21-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-22-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-23-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-24-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-25-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-26-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 behavioral1/memory/1640-27-0x0000000000920000-0x0000000000A7F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 1640 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 1640 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
02f6cd0c20673f819bba4b21f4d30d44.exedescription pid Process procid_target PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28 PID 2320 wrote to memory of 1640 2320 02f6cd0c20673f819bba4b21f4d30d44.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1640
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD5f65f2f47b342bb22302981889f62699b
SHA166ef7315b9e3a00e40b3f2646198aa699ce99898
SHA256c838276b43df3a0e96cc2d87189ceb803cd0a7223cee89944fec77107bbbd289
SHA51236f1c367f0f0edb884897505679c13b8d0f8e6787c5846ee055f8e0017d14d0d088531ab3287a62ef8f61c65da554fd397c897f437a1216908065edf8860db69
-
Filesize
753KB
MD521ce0b5ae3b9fc3502ff8df646c1f6fd
SHA1c334e13f18fe093d5555a6a60e3706642e1c55f5
SHA25674769caa914081ef0a4689fad2d7165f820047d1bff4d1072e4ddaff721d2f89
SHA512e05c5df4928fd17a26db8d8129ae23d028ad45497a8e9eacf29519cd8323a7b6b2fb01ca4849bb2a5218a50ae5a7eee5b5e9d897146ec9c1c31c4632d7952695