Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 18:17
Static task
static1
Behavioral task
behavioral1
Sample
80893465004ba8821412c5815efad34b.exe
Resource
win7-20231215-en
General
-
Target
80893465004ba8821412c5815efad34b.exe
-
Size
1.0MB
-
MD5
80893465004ba8821412c5815efad34b
-
SHA1
0af98a99a81e59ccc450872b15e5f857ce77f408
-
SHA256
caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
-
SHA512
773b1e8b48b815185e3c2847d25707275f07f89b0929ba32f3eaa97f52b89c1b9777e1e788a8826cfa54f86bf31f08f0535f9f9e936e3e5caf5761efc422cd76
-
SSDEEP
24576:GeqrjrakGkowvldxnK2uWBnnB4YVApRXITalmjaw:MmkowvdK2nnnBudCf
Malware Config
Extracted
danabot
4
193.34.167.138:443
152.89.247.31:443
192.210.222.81:443
142.11.244.124:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\808934~1.TMP DanabotLoader2021 behavioral2/memory/3456-10-0x0000000000400000-0x000000000055D000-memory.dmp DanabotLoader2021 behavioral2/memory/3456-18-0x0000000000400000-0x000000000055D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 44 3456 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3456 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 216 3656 WerFault.exe 80893465004ba8821412c5815efad34b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
80893465004ba8821412c5815efad34b.exedescription pid process target process PID 3656 wrote to memory of 3456 3656 80893465004ba8821412c5815efad34b.exe rundll32.exe PID 3656 wrote to memory of 3456 3656 80893465004ba8821412c5815efad34b.exe rundll32.exe PID 3656 wrote to memory of 3456 3656 80893465004ba8821412c5815efad34b.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80893465004ba8821412c5815efad34b.exe"C:\Users\Admin\AppData\Local\Temp\80893465004ba8821412c5815efad34b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\808934~1.TMP,S C:\Users\Admin\AppData\Local\Temp\808934~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 4482⤵
- Program crash
PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 36561⤵PID:4228
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cfc25f6127c1542eee376a6b9fb0d3d9
SHA1cf1c89eba15320765f2b6ebced98edd77ed67a6e
SHA2568af95e7b245deede697fbb9081551dd88610dfd72a0cba790c7c382c29f99ccc
SHA5124dbb5f03fecd7da3833197b36288d0431820ba72ede7d0c07bfa9aae7ffcddf67ab6f1acf6f46567d69b0b90d042067c602cf02e6d527cf7e79271339034295d