Analysis

  • max time kernel
    110s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 10:48

General

  • Target

    2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll

  • Size

    2.5MB

  • MD5

    3e4b803e57c0154b8af15e392da96750

  • SHA1

    56a136e548a838354331ad4098e5baf4ca2395b4

  • SHA256

    2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6

  • SHA512

    1975dac8ed7943bfc9847f490b15ba8739d02bb7b0369a82b68314db585e53d256532516212b44dc5bfd2de9a8ac2ef827add7fd74b4b711354ce86e472a0130

  • SSDEEP

    49152:KgZziYT4//YDt2Z/fZMdzUAOC5n+LlrxFTGWQKq:K0ziYTJh2Z/f6AAOGarxFTGPv

Malware Config

Extracted

Family

danabot

Botnet

40

C2

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes
  • embedded_hash

    AD14EA44261341E3690FA8CC1E236523

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 14 IoCs
  • Danabot family
  • Blocklisted process makes network request 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/5008-0-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-2-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-1-0x00000000757D8000-0x00000000757DE000-memory.dmp

    Filesize

    24KB

  • memory/5008-3-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-7-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-8-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-9-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-10-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-11-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-12-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-13-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-14-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-15-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-16-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-17-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB

  • memory/5008-18-0x0000000075560000-0x00000000757EE000-memory.dmp

    Filesize

    2.6MB