Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 19:55
Static task
static1
Behavioral task
behavioral1
Sample
0261d6c09c1f707a5231b9368368827a.exe
Resource
win7-20231215-en
General
-
Target
0261d6c09c1f707a5231b9368368827a.exe
-
Size
1.0MB
-
MD5
0261d6c09c1f707a5231b9368368827a
-
SHA1
e1c2958f6e36478ed1714d2680e3171e9517b40d
-
SHA256
00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d
-
SHA512
b968aa0e6a25bbdf8482f6707e5992ad4979c42c148538c3df5b770fd64748aad874825a3a65f8d2fdb2dc628e81452f2568d4254113598038b683338594fec7
-
SSDEEP
24576:V0YILxtm+yLvubrtGyVbwqHx40+8nB9s0YTofO:VCyL2bsMbwEK296WO
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 8 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012263-6.dat DanabotLoader2021 behavioral1/memory/2016-8-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 behavioral1/files/0x000a000000012263-7.dat DanabotLoader2021 behavioral1/memory/2016-11-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 behavioral1/memory/2016-20-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 behavioral1/memory/2016-21-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 behavioral1/memory/2016-22-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 behavioral1/memory/2016-23-0x0000000000B40000-0x0000000000C9D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2016 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2016 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0261d6c09c1f707a5231b9368368827a.exedescription pid Process procid_target PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28 PID 2132 wrote to memory of 2016 2132 0261d6c09c1f707a5231b9368368827a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0261d6c09c1f707a5231b9368368827a.exe"C:\Users\Admin\AppData\Local\Temp\0261d6c09c1f707a5231b9368368827a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0261D6~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0261D6~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2016
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
510KB
MD51aa821b499aec4b376f745bab15faf0e
SHA1463d55f7f3c502f07beeba33e1bcdfc58ff66b2e
SHA25693ec437e65890c67574a1f7c6b76d2e12fa17f0b08a935bb126be938f8088a9a
SHA5128cf8e287978900ea3aaae8706c867844f60ae06dbc73dd963b842e9bf6a9ccaf8312d37c417a837f0bf01838aa9c866fff36415b8e4ac9d1f96641853832d66d
-
Filesize
336KB
MD526fc57e763ac8b79711d0a57cf3dea25
SHA1eef34cc64046d3fe16569185ef2c9830b154347e
SHA256c3f6bf150392de4a21d5e6ed2bf31ad468aa3abc228e7f47bdfc0d55311b9f41
SHA512a05dc5d2ad02368660cbe38df19886c2a25c639714a9821176d493fa9f0f4cb617b89b8f9380706fd62914bd4bfdcbce2575c54ff02de3a80bd80f52707c75f8