Analysis Overview
SHA256
6abb3cc19d6f88bf35d506d10ee0c82cee7b5eebef4cbef70857cde8cd572894
Threat Level: Known bad
The file 0e320557c1eec1fdc59223f4bf2d3e5e was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot Loader Component
Blocklisted process makes network request
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-30 04:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 04:18
Reported
2023-12-30 21:38
Platform
win7-20231215-en
Max time kernel
197s
Max time network
220s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 192.210.222.81:443 | tcp |
Files
memory/2596-2-0x0000000000400000-0x0000000000511000-memory.dmp
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
| MD5 | e1cc83616c86c0847355ac7c0b794bec |
| SHA1 | 2a847cf0e7ecc2811c1f8a10e0e742f32126077d |
| SHA256 | 0cecada4c3cce0dc9e884c05e5b1646ae1ad7cf4b09a2403b60e65e271d5fb76 |
| SHA512 | 42465ccfb359b2ee7ed4828b4c3227f1c58ee58f60efc7c053255656d6b6cd024e5effb1bb2c839b04c452636a85beec1a0ac21f3dacaa16818bc6079e6fd136 |
memory/1740-13-0x00000000009D0000-0x0000000000B30000-memory.dmp
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
| MD5 | 092f30ba16853b4b92b660a22de65b21 |
| SHA1 | bc985a64f76df2b030d9876f068910aeb4d86b0f |
| SHA256 | 32726cbc576fe61458228f5782a0d46e5f66fcb8a027657c61b0fe958307d1a3 |
| SHA512 | 26eadb49e2ccb886a24fbf2ea3f590fe8aefa4beac6c0e9c2367c09375c60a4e1268f0b75aad8d2f804bac4770c7f190de367bdb31da18fdcd1c7b19fcc21ec5 |
\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
| MD5 | 6b16c63407bd53f70e952f40ea04ec18 |
| SHA1 | e3cad74e28acdb0a50b1ce46ef1d357dd5e283ad |
| SHA256 | 97bcf7a0d2757a58bb36dcd947240cbbbee6e414cb57302d325c7fc1d485dfb0 |
| SHA512 | e292a7981281578f5bee50541b68082a0daef060eb3e5d5e9583757e951643859b34c2dfe2ed8fe6eee3ecc149bffe28feebef80f570f78bdf0f83a95e0b89ac |
memory/2596-14-0x0000000000400000-0x0000000000511000-memory.dmp
memory/1740-15-0x00000000009D0000-0x0000000000B30000-memory.dmp
memory/2596-27-0x0000000000400000-0x0000000000511000-memory.dmp
memory/1740-30-0x00000000009D0000-0x0000000000B30000-memory.dmp
memory/1740-31-0x00000000009D0000-0x0000000000B30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 04:18
Reported
2023-12-30 21:37
Platform
win10v2004-20231215-en
Max time kernel
159s
Max time network
172s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2000 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2000 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0e320557c1eec1fdc59223f4bf2d3e5e.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL,s C:\Users\Admin\AppData\Local\Temp\0E3205~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/2000-0-0x0000000000400000-0x0000000000511000-memory.dmp
memory/2000-3-0x0000000000400000-0x0000000000511000-memory.dmp
memory/2000-9-0x0000000000400000-0x0000000000511000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E3205~1.DLL
| MD5 | 65ad7931a1adaab562852ba347a4ff9a |
| SHA1 | bfc4bdaa5beb5f33c9cbdb8d1bbfa74c0b44a7b5 |
| SHA256 | eb64ede65019c5f166707e3c9f2047b5e357f96db57dab57c338e5ee27f01bf3 |
| SHA512 | a19f4d1fb6cff0e7907429ac68cdc9673ca9c067872b38da554b030f2486b8951e9416fd8fa6556a97958ac7747b13b1536950c74828dc5f2779502e9a75d457 |
memory/3440-13-0x0000000002230000-0x0000000002390000-memory.dmp
memory/2000-14-0x0000000000400000-0x0000000000511000-memory.dmp
memory/3440-15-0x0000000002230000-0x0000000002390000-memory.dmp
memory/2000-26-0x0000000000400000-0x0000000000511000-memory.dmp