Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
754a5f1c3be937da2062cb0a400770ae.exe
Resource
win7-20231129-en
General
-
Target
754a5f1c3be937da2062cb0a400770ae.exe
-
Size
1.2MB
-
MD5
754a5f1c3be937da2062cb0a400770ae
-
SHA1
2c1334d0d98d14d98cc12ea0066c1f023941642c
-
SHA256
7d21d406d52ef30355db1a78f666f298952a41f44458be63b0959eb73e1a8ece
-
SHA512
1c38dc92493fc7bf3875f9073c08cdbd08c346e13e141967aefe0d8db96b8b66934cb27a6678d717a38fb679da5a127f14a00842463be3c8d55e188b1effd6e8
-
SSDEEP
24576:fnWuAlVsChDd0SOPNXzfAzovS8ivblpnCCZ/IshLw2Zge:OVhJdb2fAz1pDlEQNqe
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-10-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\754A5F~1.TMP DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\754A5F~1.TMP DanabotLoader2021 behavioral1/memory/1996-11-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-20-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-21-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-22-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-23-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-24-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-25-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-26-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 behavioral1/memory/1996-27-0x0000000001FB0000-0x000000000210E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 1996 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1996 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
754a5f1c3be937da2062cb0a400770ae.exedescription pid process target process PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2928 wrote to memory of 1996 2928 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\754a5f1c3be937da2062cb0a400770ae.exe"C:\Users\Admin\AppData\Local\Temp\754a5f1c3be937da2062cb0a400770ae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\754A5F~1.TMP,S C:\Users\Admin\AppData\Local\Temp\754A5F~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1996
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
942KB
MD5b907fbc0f95af58daa7c824fcbccd663
SHA19d25677a9972112e300fd8edaea1df48b7322746
SHA2564ed0b004689d5d5ecdf4a4b96484bf14cb31765d7e2737c7809afefa3d862704
SHA5120aa1780f9ae1e3d2a3bfd27505a4ca749caf88230a789ed7fca0d042e6b1bc1232e46d523581167c7b5e9df0251f2aedd65ef484e676fd4fcdeec1d91701ac33
-
Filesize
778KB
MD5bea540df6e226396e8ad89e3e37d9e40
SHA1969f773902fe1622cf83d051be39c1e67e2620b5
SHA256477d6a724847741173347cda21b619f9badae392318ef05f4e00edd3dbebb402
SHA512c93f66a1d4f70ce810fc3febad4e2bef1776a9d4906c8daa7cc783bfced287e553773083103fc74581530eb29d57f1cf686e2aacb9cafbb333892606e189d690