Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 19:12
Behavioral task
behavioral1
Sample
72d380ce80b2ef48bcb48229fa6d2883.dll
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
72d380ce80b2ef48bcb48229fa6d2883.dll
-
Size
1.3MB
-
MD5
72d380ce80b2ef48bcb48229fa6d2883
-
SHA1
ed9cf3e77afb7bb5de0cc87e37d64e9f1a663708
-
SHA256
ee5baf24c6f5977dcb2cd3cf124e9dbd0a838d72c58487f21479d44be2cd6469
-
SHA512
69bed8a3b953c6a7f42fd4b43c1a84dbb5c4cfa2819714737137bda32d662a3d3b816144112499759453d5e368c046b81cd5872a231ec239275cd42b6b329928
-
SSDEEP
24576:g8FG1zWtt288dOwB2R6PWv3C9nOPTNaj4e:TdctuvS92TY
Malware Config
Extracted
Family
danabot
Botnet
4
C2
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Attributes
-
embedded_hash
e�e��������������e���SVWU����
-
type
loader
Signatures
-
Danabot Loader Component 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2180-0-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-1-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-2-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-3-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-4-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-5-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-6-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-7-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-8-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-9-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-10-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-11-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-12-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-13-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 behavioral1/memory/2180-14-0x0000000000300000-0x0000000000460000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2180 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2180 1992 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72d380ce80b2ef48bcb48229fa6d2883.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\72d380ce80b2ef48bcb48229fa6d2883.dll,#12⤵
- Blocklisted process makes network request
PID:2180
-