Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll
Resource
win7-20240903-en
General
-
Target
d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll
-
Size
2.5MB
-
MD5
3d79bcdd760f59d372f10fe9aef8544c
-
SHA1
381a92fec06df17abfda0acbedd16567d1500299
-
SHA256
d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684
-
SHA512
f686498381a9341ddf4bc1616f6b06defbfa808ef5fcdde4f7be8113dd13ee5f146b3c032a08e11abaea0dff99baef0be4c4db082e409056364fe516e621e2c0
-
SSDEEP
49152:TgZziYTf//Y7t2Z/fZMdzUAOC5n+LlrxFTGWsKq:T0ziYTgZ2Z/f6AAOGarxFTGLv
Malware Config
Extracted
danabot
40
185.158.250.216:443
194.76.225.46:443
45.11.180.153:443
194.76.225.61:443
-
embedded_hash
AD14EA44261341E3690FA8CC1E236523
-
type
loader
Signatures
-
Danabot Loader Component 16 IoCs
resource yara_rule behavioral2/memory/4488-4-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-7-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-8-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-9-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-10-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-11-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-12-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-13-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-14-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-15-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-16-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-17-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-18-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-19-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-20-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 behavioral2/memory/4488-21-0x0000000074F70000-0x00000000751FE000-memory.dmp DanabotLoader2021 -
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 24 4488 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3476 wrote to memory of 4488 3476 rundll32.exe 86 PID 3476 wrote to memory of 4488 3476 rundll32.exe 86 PID 3476 wrote to memory of 4488 3476 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d68e145ac63ec0be07dcf0160a3b512a417a4ee0c8f35240585ae9b13b636684.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:4488
-