Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 17:23
Behavioral task
behavioral1
Sample
7ead1ce79a54138ccc18f6387498cfaacaf65df9b338dfe7a5af6e2b9bc5d62c.dll
Resource
win7-20240708-en
General
-
Target
7ead1ce79a54138ccc18f6387498cfaacaf65df9b338dfe7a5af6e2b9bc5d62c.dll
-
Size
1.3MB
-
MD5
a95612bc8f0a83065be725bef4f34fd5
-
SHA1
80a652a058cd041a7a7e4a7636142d806180d4d9
-
SHA256
7ead1ce79a54138ccc18f6387498cfaacaf65df9b338dfe7a5af6e2b9bc5d62c
-
SHA512
0e25b02041b169d0074a2e9ff93acbb8da8193dc20cf95e3728a53988abbff2da1cd0c68071e6e4d4bfde9e831b98620d54b44eb7cc510f83c2c1ac07d0f7d1c
-
SSDEEP
24576:qncFdcHdOgxk3F8TGFnnH0vySpIfAls7JlTUqqZm1:hcEHn9IIfbPTRKm
Malware Config
Extracted
danabot
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
resource yara_rule behavioral1/memory/2520-0-0x00000000020B0000-0x0000000002214000-memory.dmp DanabotLoader2021 behavioral1/memory/2520-1-0x00000000020B0000-0x0000000002214000-memory.dmp DanabotLoader2021 -
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2520 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30 PID 2568 wrote to memory of 2520 2568 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ead1ce79a54138ccc18f6387498cfaacaf65df9b338dfe7a5af6e2b9bc5d62c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ead1ce79a54138ccc18f6387498cfaacaf65df9b338dfe7a5af6e2b9bc5d62c.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2520
-