DanaBot Lab
Last updated
Last updated
Q1) What is the malicious file name used for initial access?
Answer: allegato_708.js
Q2) What is the sha256 hash of the file used for initial access?
From this report:https://any.run/report/847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268/a886894d-8ae4-4d59-a990-b59536885da8
Answer: 847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268
Q3) What is the process used to execute the malicious file?
Answer: wscript.exe
Q4) What is the extension of the second malicious file used by the attacker?
Answer: .dll
Q5) What is the MD5 hash of the second malicious file?
From File- -> Export Objects -> HTTP
Answer: e758e07113016aca55d9eda2b0ffeebe
Q6) What is the IP address used by the attacker in initial access?
Or from AnyRun:
Answer: 62.173.146.41
Q7) What is the last malicious IP address in the PCAP that is known to be used as CnC by DanaBot?
Answer: 91.201.67.85