Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

SecuriteIn...00.exe

windows7_x64

10

SecuriteIn...00.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    08/07/2020, 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe

  • Size

    2.7MB

  • MD5

    d1ad5859f4298afb39f9747460c9f499

  • SHA1

    22b1e4142b34c3113772c31fe991c924c17ffaec

  • SHA256

    5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415

  • SHA512

    be41fc0005263508df8020da14108bd46ab0938fa712e8222c43c5349f36d42296d97858eb610cb4af3cac24d056f16fc3a118d933f57dba979fc2735e2a45e2

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

195.133.147.230

185.136.167.253

46.19.136.203

45.138.172.157

185.227.138.52
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 6 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@904
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-0-0x0000000003690000-0x0000000003907000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/904-1-0x0000000003910000-0x0000000003921000-memory.dmp

    Filesize

    68KB

    Download