Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
Resource
win7-20231129-en
General
-
Target
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
-
Size
1.1MB
-
MD5
6b60f7cbc0c04e3110ea9da7f9321fe3
-
SHA1
5051291ed1160c0f5bdd79f1d5706807f2d7512b
-
SHA256
73330db1f35105b797d13d85b7e372cd0fc8a7eab0ed05ba1d864457d0e7666c
-
SHA512
bf61735f3ee94390c69348dbe9c78bc0a1d56e7c64ce2b9ecedd10147ccb6db8aed677f24a8d32fabc8ab308ab33861d4eb383addcc1ec43d7bbcd453b943b0c
-
SSDEEP
24576:RIcECYHIt8+5eZ+conosN6FOf8qtRfJ6a6BPA:RIxvHrSEcJgU8yfJ6NBI
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\6B60F7~1.EXE.tmp DanabotLoader2021 behavioral2/memory/3328-10-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-18-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-19-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-20-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-21-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-22-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-23-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-24-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/3328-25-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 49 3328 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3328 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6b60f7cbc0c04e3110ea9da7f9321fe3.exedescription pid process target process PID 4400 wrote to memory of 3328 4400 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 4400 wrote to memory of 3328 4400 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 4400 wrote to memory of 3328 4400 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6B60F7~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3328
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
906KB
MD5ce12b8298d81fca2e9ed662ace067f07
SHA1871940ce14cd1ff6b7476876b69e77a259157450
SHA256686cd9986056b4c9688b745374411a1b3edec049a8b909cacc24a697faf0ca0a
SHA5125e589fc5f815f779e93c60f2cc759a7c8d3a1238a358e46bc8ca92ecaa816d5e556997499108b054f860f9a7c2bc4e074a580f7eb5e7df9609dea45c0d553545
-
Filesize
32KB
MD586071dadf729c718dc1331fc409ce6a7
SHA117eb3c5052f2ead81c2fc22fbf6b98201b47d16d
SHA2560b31438a4db9bf8bf7c0840e6d244c350bc5c618a8c85f0fa4b72fe4da70fe11
SHA51254959997cd2781a0b141d0e907b17571ec968273d6c4546f76a3e0aa022fd970cc523c5c78eb8842ac1e701f92ec596405b607aeab3e0bb0fb6d364ab873671a