Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 09:43
Behavioral task
behavioral1
Sample
ca2b3c617eb2c8e4e0bbfe57e69426582515fd21e46de6b0a653b989c213f1c9.dll
Resource
win7-20231129-en
3 signatures
150 seconds
General
-
Target
ca2b3c617eb2c8e4e0bbfe57e69426582515fd21e46de6b0a653b989c213f1c9.dll
-
Size
2.4MB
-
MD5
a1e674b21c363fcc0d28784a789c3591
-
SHA1
64ac1c37290e7a12af8b63d57bfb0543894a160c
-
SHA256
ca2b3c617eb2c8e4e0bbfe57e69426582515fd21e46de6b0a653b989c213f1c9
-
SHA512
d88a6c8ed154222d36f2f4b77c2a82778bc384d5f20a328a9e294a158bebf099b38989cc7b577bc2043ce07f6c5286ff71ef69848539ee4acba958cc203eb164
-
SSDEEP
24576:XSZWClCcv6+E+AUXkf2jbFcMuQnFraLhjy+kUDZevsH9dqbmTlEpGkW2QSTWCdi/:CZlkej5oyUeiVrSTWCdi1d
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.223:443
192.236.194.72:443
Attributes
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 93 2264 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 972 wrote to memory of 2264 972 rundll32.exe 30 PID 972 wrote to memory of 2264 972 rundll32.exe 30 PID 972 wrote to memory of 2264 972 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca2b3c617eb2c8e4e0bbfe57e69426582515fd21e46de6b0a653b989c213f1c9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ca2b3c617eb2c8e4e0bbfe57e69426582515fd21e46de6b0a653b989c213f1c9.dll,#12⤵
- Blocklisted process makes network request
PID:2264
-