Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 13:16
Behavioral task
behavioral1
Sample
973e243a21c58d1ce53e81b6cfb13f29.dll
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
973e243a21c58d1ce53e81b6cfb13f29.dll
-
Size
1.3MB
-
MD5
973e243a21c58d1ce53e81b6cfb13f29
-
SHA1
7e8eba90c43e6bc2bbbb966923f9f9ff76ab01d6
-
SHA256
a4f029ef2f2dcd8319955185a0675b446ad78f737a383afb57f86ae70335d1a3
-
SHA512
d44b3c66611ef1b16eb15361cb476776d1980a6b9d5a1abac73a3b3942b95205c54dafb7f99e86d0c640f85c38ec7eaa66ca63578704cde61ff7dc269e1a9ebe
-
SSDEEP
24576:pcFPyHJP0Mrwfy8uS6pWeiPAEn5OWb/7WdTMQ+J4:KciP/n5ZidTS4
Malware Config
Extracted
Family
danabot
Botnet
4
C2
142.11.244.124:443
142.11.206.50:443
Attributes
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot Loader Component 15 IoCs
Processes:
resource yara_rule behavioral1/memory/3044-0-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-1-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-2-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-3-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-4-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-5-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-6-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-7-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-8-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-9-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-10-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-11-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-12-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-13-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 behavioral1/memory/3044-14-0x0000000000470000-0x00000000005CF000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 3044 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3044 2296 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\973e243a21c58d1ce53e81b6cfb13f29.dll,#12⤵
- Blocklisted process makes network request
PID:3044