Analysis
-
max time kernel
143s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 19:55
Static task
static1
Behavioral task
behavioral1
Sample
0261d6c09c1f707a5231b9368368827a.exe
Resource
win7-20231215-en
General
-
Target
0261d6c09c1f707a5231b9368368827a.exe
-
Size
1.0MB
-
MD5
0261d6c09c1f707a5231b9368368827a
-
SHA1
e1c2958f6e36478ed1714d2680e3171e9517b40d
-
SHA256
00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d
-
SHA512
b968aa0e6a25bbdf8482f6707e5992ad4979c42c148538c3df5b770fd64748aad874825a3a65f8d2fdb2dc628e81452f2568d4254113598038b683338594fec7
-
SSDEEP
24576:V0YILxtm+yLvubrtGyVbwqHx40+8nB9s0YTofO:VCyL2bsMbwEK296WO
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral2/files/0x000b000000018062-7.dat DanabotLoader2021 behavioral2/memory/1556-8-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/files/0x000b000000018062-6.dat DanabotLoader2021 behavioral2/files/0x000b000000018062-5.dat DanabotLoader2021 behavioral2/memory/1556-12-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-20-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-21-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-22-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-23-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-24-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-25-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 behavioral2/memory/1556-26-0x0000000000A60000-0x0000000000BBD000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 88 1556 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 1556 rundll32.exe 1556 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1000 3380 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0261d6c09c1f707a5231b9368368827a.exedescription pid Process procid_target PID 3380 wrote to memory of 1556 3380 0261d6c09c1f707a5231b9368368827a.exe 59 PID 3380 wrote to memory of 1556 3380 0261d6c09c1f707a5231b9368368827a.exe 59 PID 3380 wrote to memory of 1556 3380 0261d6c09c1f707a5231b9368368827a.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\0261d6c09c1f707a5231b9368368827a.exe"C:\Users\Admin\AppData\Local\Temp\0261d6c09c1f707a5231b9368368827a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 5162⤵
- Program crash
PID:1000
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0261D6~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0261D6~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 33801⤵PID:4312
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51b4a70de393e0c2427bf16275affc5e9
SHA12dd4cbab86e9a1a00dbb8390e738633570dd6376
SHA2566d74c5c015fb8ebfc58afc824f308b6e6efce91914dc8d6d155202ae26dbd892
SHA512633c1f155d13b107c221a6192b1f6afa8ce047c6d52f27d932922e599f1f518d0b2c4b6f524ea443cb1323072c6f65fc61c97ccf817d59086a979fbd033c9d18
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
40KB
MD50287d3c3e420e16c7743f8acf3b382b9
SHA19addc7f1109ee34dcd53413587e9327169598892
SHA256e1b57f8e8c52a86d90fa62ff2024011212a04c6f9160ae16715752e9fc19bab5
SHA51274dd58569b4a9a7d6f4762cce6c07f945e0a99981081bb6c7ab1a03da4b3aae7ca3c335eeab7ff2728359b726bd817ef149ad0ce84fd27d017e46a070aa379d2