Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 00:14
Static task
static1
Behavioral task
behavioral1
Sample
082e530d5eca92e8ad49c1b8487c05aa.exe
Resource
win7-20231129-en
General
-
Target
082e530d5eca92e8ad49c1b8487c05aa.exe
-
Size
1.1MB
-
MD5
082e530d5eca92e8ad49c1b8487c05aa
-
SHA1
89edd59fab8bc491df3da839edf3f718caa439c7
-
SHA256
8cff81b24f92676593f4f654e3158e9ea0f41238222be749393434af8fa1eff4
-
SHA512
7dc936ab5bb67c1b5222f684a42571effd17205fd9e39017ea41fff8907a33df08bbad3755d9e29bc58783e4d5563550fa64473515db0da1e7018007d006e9f5
-
SSDEEP
24576:C/O45NET5YsT2Kg7ltHvfSRauFPjNUhBtExc0dDUkQ:gS5Ysy7l5CauFmhBtExc0DUkQ
Malware Config
Extracted
danabot
4
193.34.167.138:443
142.11.206.50:443
142.11.244.124:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule behavioral2/memory/4220-9-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/files/0x000c000000023156-8.dat DanabotLoader2021 behavioral2/files/0x000c000000023156-7.dat DanabotLoader2021 behavioral2/files/0x000c000000023156-6.dat DanabotLoader2021 behavioral2/memory/4220-12-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-20-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-21-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-22-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-23-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-24-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-25-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-26-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 behavioral2/memory/4220-27-0x0000000002170000-0x00000000022CD000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 73 4220 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 4220 rundll32.exe 4220 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4300 2436 WerFault.exe 68 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
082e530d5eca92e8ad49c1b8487c05aa.exedescription pid Process procid_target PID 2436 wrote to memory of 4220 2436 082e530d5eca92e8ad49c1b8487c05aa.exe 94 PID 2436 wrote to memory of 4220 2436 082e530d5eca92e8ad49c1b8487c05aa.exe 94 PID 2436 wrote to memory of 4220 2436 082e530d5eca92e8ad49c1b8487c05aa.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\082e530d5eca92e8ad49c1b8487c05aa.exe"C:\Users\Admin\AppData\Local\Temp\082e530d5eca92e8ad49c1b8487c05aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 5002⤵
- Program crash
PID:4300
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\082E53~1.TMP,S C:\Users\Admin\AppData\Local\Temp\082E53~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2436 -ip 24361⤵PID:2728
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f9d0c5c9809a03f39a249bd22c9f4019
SHA162d32eee182a1a34eacf5233c4b92eb406903916
SHA2569fbc329174d0588af656e285c1e3418ebf9708f5fec900121ab802b9a2e43a1e
SHA51299020ff15fc21c1cd13d893726c0e12738b6c8d4ccc8f2956fdb87aa6d9efc6c329032681c4c680e99828e78fd52e2b1329fbb571970b87ac296cec01870fb19
-
Filesize
665KB
MD5d4eadf58a2f60e334dd6c5bcd54d3d8d
SHA15fc1b538cd3b66791805ea71716f913a0db1bc5e
SHA25685b1a1eedc8635eb4ff1473daf2cc892b4c05c3176ed6836a1b6002e7a3d77e7
SHA512755da353cd58a1d47f69b3b063f083726e640b6f1f293d987064b12c9ea1837c4dbdc5cc81e8ddbb34c5ed42959bc7b1d9000eeb0cd8e623bd57e2e388eb68d1
-
Filesize
373KB
MD5422c83253c61e591a3d02e695a48a570
SHA1667e2aa99a25afb8e1242c7def2db2f14bd63ccb
SHA25675b5685bc23fd22ae7a9328456d05d0c894189c4ee03ad7c74ab28d2386d6d43
SHA51216e1025c77ce7549629dd6f450ee4c0d205b9741d2852cf8a2fb5181e0a52f256c8166648ec687b6966324703497bded46621bff666ae1f7ffebb675e9fbe8e3