Analysis
-
max time kernel
110s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/11/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
13d5e073162b4ec07be70c54fbf2ab55f6bf21867aa692c94977be50bbd67648N.dll
Resource
win7-20240903-en
General
-
Target
13d5e073162b4ec07be70c54fbf2ab55f6bf21867aa692c94977be50bbd67648N.dll
-
Size
4.3MB
-
MD5
6d26e4f13b17d1ee42e371c599206c80
-
SHA1
f38f9bb87829910ffcd983ab3b1aad00ced6dc62
-
SHA256
13d5e073162b4ec07be70c54fbf2ab55f6bf21867aa692c94977be50bbd67648
-
SHA512
1fa19d93e6f0f59490b72331b77500bdb2dd048245ddcca58286a01bec30cb98aebfa9e766362414beabc93c656eea2d7dcc07946db348141ebefd213415638e
-
SSDEEP
98304:7D5gnLHf9/uXEjQIYmwjc3ebCgkonupIlmWAVqMkM/:7DynLHf9/aEjQIYmwjc3ebCgkOudWA4q
Malware Config
Extracted
danabot
104.234.239.223:443
104.234.119.237:443
104.156.149.14:443
104.234.119.246:443
-
type
loader
Signatures
-
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2964 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30 PID 2300 wrote to memory of 2964 2300 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13d5e073162b4ec07be70c54fbf2ab55f6bf21867aa692c94977be50bbd67648N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13d5e073162b4ec07be70c54fbf2ab55f6bf21867aa692c94977be50bbd67648N.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2964
-