Analysis Overview
SHA256
463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f
Threat Level: Known bad
The file 02f6cd0c20673f819bba4b21f4d30d44 was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot Loader Component
Blocklisted process makes network request
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-29 20:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 20:22
Reported
2023-12-30 00:22
Platform
win7-20231129-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe
"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 142.11.244.124:443 | tcp |
Files
memory/2320-0-0x00000000009F0000-0x0000000000ADA000-memory.dmp
memory/2320-1-0x00000000009F0000-0x0000000000ADA000-memory.dmp
memory/2320-2-0x0000000000C30000-0x0000000000D2F000-memory.dmp
memory/2320-5-0x0000000000400000-0x00000000009E2000-memory.dmp
memory/2320-11-0x00000000009F0000-0x0000000000ADA000-memory.dmp
memory/2320-10-0x0000000000C30000-0x0000000000D2F000-memory.dmp
memory/1640-9-0x0000000000920000-0x0000000000A7F000-memory.dmp
\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP
| MD5 | 21ce0b5ae3b9fc3502ff8df646c1f6fd |
| SHA1 | c334e13f18fe093d5555a6a60e3706642e1c55f5 |
| SHA256 | 74769caa914081ef0a4689fad2d7165f820047d1bff4d1072e4ddaff721d2f89 |
| SHA512 | e05c5df4928fd17a26db8d8129ae23d028ad45497a8e9eacf29519cd8323a7b6b2fb01ca4849bb2a5218a50ae5a7eee5b5e9d897146ec9c1c31c4632d7952695 |
C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP
| MD5 | f65f2f47b342bb22302981889f62699b |
| SHA1 | 66ef7315b9e3a00e40b3f2646198aa699ce99898 |
| SHA256 | c838276b43df3a0e96cc2d87189ceb803cd0a7223cee89944fec77107bbbd289 |
| SHA512 | 36f1c367f0f0edb884897505679c13b8d0f8e6787c5846ee055f8e0017d14d0d088531ab3287a62ef8f61c65da554fd397c897f437a1216908065edf8860db69 |
memory/2320-6-0x0000000000400000-0x00000000009E2000-memory.dmp
memory/1640-12-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-20-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-21-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-22-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-23-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-24-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-25-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-26-0x0000000000920000-0x0000000000A7F000-memory.dmp
memory/1640-27-0x0000000000920000-0x0000000000A7F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 20:22
Reported
2023-12-30 00:22
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2256 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2256 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2256 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe
"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2256 -ip 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 516
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 142.11.244.124:443 | tcp | |
| US | 8.8.8.8:53 | 124.244.11.142.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp |
Files
memory/2256-2-0x0000000000D50000-0x0000000000E4F000-memory.dmp
memory/2256-1-0x0000000000B10000-0x0000000000C09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE.tmp
| MD5 | 7e0842a28143a9b40f5f63e2b8153f54 |
| SHA1 | 3f7daf28976148e55ec55cb7e725c83a04399462 |
| SHA256 | df94ed67841091979d6c86081f4ceaa6b9d892724307e6574f758b0c5dbee90c |
| SHA512 | d82b34308b5573aee84c482cd111cd87160f4eed2154a9d28bc6b4a70c792d607533481ed868a6ae4dc010355bd6f05ae371c92414a6ae6c2cfbaeea918cebcf |
C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP
| MD5 | 786b636f727a054829c7c2195d34136c |
| SHA1 | a3e8d25f2e96dbd6a6d3dcee48322d9339f2be67 |
| SHA256 | 05e692801356858257006f8c709434b103317509adc47ad0d3cb74eb39a15fd2 |
| SHA512 | 5c3114423cbb547f81ffa28dca437bd0a7fa78f67236506fa460a38a493b9ce24bb27106b4b5b39a5c74ce608e336de77fd0e16f511c4e8fa764569cdb006657 |
memory/2256-5-0x0000000000400000-0x00000000009E2000-memory.dmp
memory/2256-8-0x0000000000400000-0x00000000009E2000-memory.dmp
memory/2256-9-0x0000000000D50000-0x0000000000E4F000-memory.dmp
memory/1168-10-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-18-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-19-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-20-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-21-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-22-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-23-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-24-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1168-25-0x0000000000400000-0x000000000055F000-memory.dmp