Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 02:19
Static task
static1
Behavioral task
behavioral1
Sample
0b6fd9f0eda46983a5df44c086e9f073.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0b6fd9f0eda46983a5df44c086e9f073.exe
Resource
win10v2004-20231215-en
General
-
Target
0b6fd9f0eda46983a5df44c086e9f073.exe
-
Size
1.2MB
-
MD5
0b6fd9f0eda46983a5df44c086e9f073
-
SHA1
65e9a9a2a550d30cc497686a7c17900576b0a501
-
SHA256
3f7ef3fcc9141ed9a7d7620c90325356956947add46038ece8167d8c5028273e
-
SHA512
a32fd364fc804c4275dc5f641e355d4dfd481336a4e67791437941a1c599d55c15b4707149d283e2b86bb502c652c3707c6df67256a353f96632b3e02656f747
-
SSDEEP
24576:YNC4WivbbYqTkj7wtLCeEIOfN4wZvK7G2SLlZ8dwkVGDs09du:MRvbbYqYj7QCeXyKyK7G2SsuMGDlG
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000c0000000153ba-8.dat DanabotLoader2021 behavioral1/memory/2336-10-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/files/0x000c0000000153ba-7.dat DanabotLoader2021 behavioral1/memory/2336-11-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-19-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-20-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-21-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-22-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-23-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-24-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 behavioral1/memory/2336-25-0x00000000020D0000-0x000000000222C000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2336 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2336 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0b6fd9f0eda46983a5df44c086e9f073.exedescription pid Process procid_target PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28 PID 1096 wrote to memory of 2336 1096 0b6fd9f0eda46983a5df44c086e9f073.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6fd9f0eda46983a5df44c086e9f073.exe"C:\Users\Admin\AppData\Local\Temp\0b6fd9f0eda46983a5df44c086e9f073.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0B6FD9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0B6FD9~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2336
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD54ae7a27d58af017f5f043d2876693aa7
SHA1b743c101250fe0bd9dccadeb7fe88f85d14f1561
SHA256803320c9ed622f258e71c54ec0c956c2b63985199c45f503cd0020aabb356fc1
SHA512fc84c3eb735fba01c67a79f0d7f685fffda85bb30e609b21c82ce361cb5d9d0b2f70fdea2ad76152787ffc98fb3ef21845d595e92ab776f69a2c74ffe1fc120f
-
Filesize
128KB
MD5649bc6de17055763d5d66a390ff5299c
SHA1956cf013ad042b48c550c288f696037f236be88f
SHA25615fb56893bc16e6d793340f87f6ab1add613fec7fc073a9e2802e24ec93333b6
SHA512f3cedc01ac4f0050af802c02d6429c96aa7331b8d566abc7f2d18faa545b74ce375221b72d60237cee06fe08f19d4f5147457c98cac461105fdb1332c27d9f90