Analysis
-
max time kernel
110s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll
Resource
win7-20240903-en
General
-
Target
2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll
-
Size
2.5MB
-
MD5
3e4b803e57c0154b8af15e392da96750
-
SHA1
56a136e548a838354331ad4098e5baf4ca2395b4
-
SHA256
2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6
-
SHA512
1975dac8ed7943bfc9847f490b15ba8739d02bb7b0369a82b68314db585e53d256532516212b44dc5bfd2de9a8ac2ef827add7fd74b4b711354ce86e472a0130
-
SSDEEP
49152:KgZziYT4//YDt2Z/fZMdzUAOC5n+LlrxFTGWQKq:K0ziYTJh2Z/f6AAOGarxFTGPv
Malware Config
Extracted
danabot
40
185.158.250.216:443
194.76.225.46:443
45.11.180.153:443
194.76.225.61:443
-
embedded_hash
AD14EA44261341E3690FA8CC1E236523
-
type
loader
Signatures
-
Danabot Loader Component 14 IoCs
resource yara_rule behavioral2/memory/5008-2-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-3-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-7-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-8-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-9-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-10-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-11-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-12-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-13-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-14-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-15-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-16-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-17-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 behavioral2/memory/5008-18-0x0000000075560000-0x00000000757EE000-memory.dmp DanabotLoader2021 -
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 24 5008 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5092 wrote to memory of 5008 5092 rundll32.exe 86 PID 5092 wrote to memory of 5008 5092 rundll32.exe 86 PID 5092 wrote to memory of 5008 5092 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2679fd014c747eb282b71b79ce95e0f2b6c28d544a10ab74bc393439456143b6N.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:5008
-