Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-01-2025 16:36
Behavioral task
behavioral1
Sample
b24a88402e7e47b5239c76a77bdefb646096e44459285e45d72a37481a5ce95a.dll
Resource
win7-20240903-en
General
-
Target
b24a88402e7e47b5239c76a77bdefb646096e44459285e45d72a37481a5ce95a.dll
-
Size
1.3MB
-
MD5
301125bdcffc98cf3b249aeec9fcec3b
-
SHA1
fd35dde2dca443623fd6418b2d96675d61d8c834
-
SHA256
b24a88402e7e47b5239c76a77bdefb646096e44459285e45d72a37481a5ce95a
-
SHA512
1cc00325a04c8eec4cb878d88a203a4af6723a59eda4203cf647266959a3351cdbb507d4aabb82ad6e647bcfa07970cf2c690d570c88342898e94e6af20ddf32
-
SSDEEP
24576:V8pWEmihq5YAWMg4G70JJ84Mla+rbjYKgETK5:2a5NRMD/YTETo
Malware Config
Extracted
danabot
4
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
Signatures
-
Danabot Loader Component 15 IoCs
resource yara_rule behavioral1/memory/1732-0-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-1-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-2-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-3-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-4-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-5-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-6-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-7-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-8-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-9-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-10-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-11-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-12-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-13-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 behavioral1/memory/1732-14-0x00000000007B0000-0x0000000000912000-memory.dmp DanabotLoader2021 -
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1732 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30 PID 2084 wrote to memory of 1732 2084 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b24a88402e7e47b5239c76a77bdefb646096e44459285e45d72a37481a5ce95a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b24a88402e7e47b5239c76a77bdefb646096e44459285e45d72a37481a5ce95a.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1732
-