Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 05:19

General

  • Target

    d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll

  • Size

    2.5MB

  • MD5

    3d79bcdd760f59d372f10fe9aef8544c

  • SHA1

    381a92fec06df17abfda0acbedd16567d1500299

  • SHA256

    d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684

  • SHA512

    f686498381a9341ddf4bc1616f6b06defbfa808ef5fcdde4f7be8113dd13ee5f146b3c032a08e11abaea0dff99baef0be4c4db082e409056364fe516e621e2c0

  • SSDEEP

    49152:TgZziYTf//Y7t2Z/fZMdzUAOC5n+LlrxFTGWsKq:T0ziYTgZ2Z/f6AAOGarxFTGLv

Malware Config

Extracted

Family

danabot

Botnet

40

C2

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes
  • embedded_hash

    AD14EA44261341E3690FA8CC1E236523

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 16 IoCs
  • Danabot family
  • Blocklisted process makes network request 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4488-0-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-1-0x00000000751E8000-0x00000000751EE000-memory.dmp

    Filesize

    24KB

  • memory/4488-2-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-4-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-7-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-8-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-9-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-10-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-11-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-12-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-13-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-14-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-15-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-16-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-17-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-18-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-19-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-20-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB

  • memory/4488-21-0x0000000074F70000-0x00000000751FE000-memory.dmp

    Filesize

    2.6MB