Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 06:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10f49a80de7e85fa33959da15d393f29.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
10f49a80de7e85fa33959da15d393f29.exe
-
Size
1.1MB
-
MD5
10f49a80de7e85fa33959da15d393f29
-
SHA1
4c01b7fb9421818af469b46355603a43fd2339e3
-
SHA256
f5fe7311025d620bccb08dcfb69f03c71620351b35ea8635b798ffc62374423a
-
SHA512
a580433022bd42d7cb8cb69c85b3a16aa861f394456160c1796af9e8835c77a14f2de8b924acaabe3d8b5d4320d87cf421130a5e1075452980fb4c7a624bbdb2
-
SSDEEP
24576:BmAFA8YMYUXozd7t7JaHvvHIpXQ1QVmC19XJ03hWWN:Q0A8R4htdYvw21Q950
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.124:443
142.11.206.50:443
Attributes
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2368 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2368 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
10f49a80de7e85fa33959da15d393f29.exedescription pid Process procid_target PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28 PID 2128 wrote to memory of 2368 2128 10f49a80de7e85fa33959da15d393f29.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f49a80de7e85fa33959da15d393f29.exe"C:\Users\Admin\AppData\Local\Temp\10f49a80de7e85fa33959da15d393f29.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\10F49A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\10F49A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2368
-