Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 04:51
Static task
static1
Behavioral task
behavioral1
Sample
0f188430addd42481937c39756c45b26.exe
Resource
win7-20231129-en
General
-
Target
0f188430addd42481937c39756c45b26.exe
-
Size
1.1MB
-
MD5
0f188430addd42481937c39756c45b26
-
SHA1
b4b74e182129511ef280fc7646d0e0122ccdb01b
-
SHA256
23d57a913a8c60630d1f26d5f7eba55d8437d7595f562b1dd81b2ebc8d69751c
-
SHA512
32e9c7d34ea27bfc0cae3c023cd0f840d2e8d6ffe2c2ec8e6856a19d50653d9e07bccbffb6555bee43c71dc1e9bdbf8a4a77d96f82c67fae6634166d5105e52e
-
SSDEEP
24576:4WWDjj7ZwB8faqsLORHsrPk/rz/Mzo7Ao6hjk:4/b7G2aV6MrPk//if
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2960-8-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/files/0x000a000000013a71-7.dat DanabotLoader2021 behavioral1/files/0x000a000000013a71-6.dat DanabotLoader2021 behavioral1/memory/2960-11-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-20-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-21-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-22-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-23-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-24-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-25-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 behavioral1/memory/2960-26-0x0000000000BC0000-0x0000000000D1C000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2960 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2960 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0f188430addd42481937c39756c45b26.exedescription pid Process procid_target PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28 PID 2396 wrote to memory of 2960 2396 0f188430addd42481937c39756c45b26.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe"C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0F1884~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0F1884~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2960
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD5fe49e6a7a896267c4536f0a587136479
SHA11cb30cc99b0eda8c6ebd9a1684396419d946177f
SHA2562e954aa339af82ed8be774b42fbe6809befef39543a7d0c2becd94db9daebd9c
SHA5120e1970d044761d4a136a3a0b32d3ff8213f9ca19bff5c18ff17dc8b6b9466963a3e7834c0ef9a9dedb5d865dce3a2b0f954d0e319f27a66669fecd1cd71c88ba
-
Filesize
384KB
MD51f88394840a08762a2877515800748e5
SHA16215f8edfb4b3c9a44973dadef4bdfac4d545fde
SHA256ce91d3fbe840af2a80fe9ef8e41ecb9e28925b6d4653eef83dd7e981511709b6
SHA51262e24dd71c3743a234ea7f640f59696f4804271e4d85dbff415903d36acd4f79aea506f0679a13b86f51c012c9be0bdb357465a43a9f61bef71546fe0edd4c30