Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 08:16
Static task
static1
Behavioral task
behavioral1
Sample
a8aba262bcadfe4fb63930d4d9533fc2.exe
Resource
win7-20240221-en
General
-
Target
a8aba262bcadfe4fb63930d4d9533fc2.exe
-
Size
1.2MB
-
MD5
a8aba262bcadfe4fb63930d4d9533fc2
-
SHA1
2c5e2d715f6c19de2a4ec38da5c6c98536171c02
-
SHA256
b48cf1854b8ff73a0bb9d4e54b5811ea3ac7a5d3e0c6c57f8825a4de396f36cc
-
SHA512
f5dfaf99040f9b9a89890e90d0576a1d842745478ca902af4f8953330940f84314d0bff58d6e218a40841a73ee1ed0a01d2aba228085c7193ef2920cb8de0389
-
SSDEEP
24576:XIojPlC7PV2kKjW7zeYPmf1Bpw0BL3rd+2wl4W/Vpnr8dvWoNU:XTY7tDeNBpZBL36l4W/f81
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.TMP DanabotLoader2021 behavioral1/memory/2820-9-0x0000000000A40000-0x0000000000B9E000-memory.dmp DanabotLoader2021 behavioral1/memory/2820-10-0x0000000000A40000-0x0000000000B9E000-memory.dmp DanabotLoader2021 behavioral1/memory/2820-19-0x0000000000A40000-0x0000000000B9E000-memory.dmp DanabotLoader2021 behavioral1/memory/2820-20-0x0000000000A40000-0x0000000000B9E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2820 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2820 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a8aba262bcadfe4fb63930d4d9533fc2.exedescription pid process target process PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe PID 2488 wrote to memory of 2820 2488 a8aba262bcadfe4fb63930d4d9533fc2.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8aba262bcadfe4fb63930d4d9533fc2.exe"C:\Users\Admin\AppData\Local\Temp\a8aba262bcadfe4fb63930d4d9533fc2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.TMP,S C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A8ABA2~1.TMPFilesize
1.3MB
MD51c78e599c4cd81a8d24b261d3bcf4edb
SHA15b57d44ca8a87d2f00dd1425854b9dce5b1359ed
SHA256b07c448bfca39a69d5f715d7a780a6524365040b1ccb048ed643ee3f0ab605ff
SHA51283a0a69f297c0774da9257e25f19b318b1b66b0769dd6852ad61874bc75bf8058b6ac2478564e6aca891b9ec811ed17186f05eea94083f14fa4c0acc0946d8e2
-
memory/2488-0-0x0000000003330000-0x000000000341A000-memory.dmpFilesize
936KB
-
memory/2488-1-0x0000000003330000-0x000000000341A000-memory.dmpFilesize
936KB
-
memory/2488-2-0x0000000004C60000-0x0000000004D5F000-memory.dmpFilesize
1020KB
-
memory/2488-7-0x0000000000400000-0x0000000003327000-memory.dmpFilesize
47.2MB
-
memory/2488-5-0x0000000000400000-0x0000000003327000-memory.dmpFilesize
47.2MB
-
memory/2488-12-0x0000000000400000-0x0000000003327000-memory.dmpFilesize
47.2MB
-
memory/2820-9-0x0000000000A40000-0x0000000000B9E000-memory.dmpFilesize
1.4MB
-
memory/2820-10-0x0000000000A40000-0x0000000000B9E000-memory.dmpFilesize
1.4MB
-
memory/2820-19-0x0000000000A40000-0x0000000000B9E000-memory.dmpFilesize
1.4MB
-
memory/2820-20-0x0000000000A40000-0x0000000000B9E000-memory.dmpFilesize
1.4MB