Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25/01/2021, 14:38 UTC

General

  • Target

    c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin.exe

  • Size

    4.4MB

  • MD5

    c55a1a3a135dcc3a771ea4648862a202

  • SHA1

    7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8

  • SHA256

    c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d

  • SHA512

    c1254cad4d620b96a2a620ef54a3c6391a3ddfece27819348cac5166489f788b827828f227c2dd5f893152d5c591eb1f63cfe14e99ad098f14b5b9ff59fce521

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

104.144.64.163:443

Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/lNe6SSLwPc2gNhUE+iVi9dO
3
d3gIHfMzNnbEl96/p4BRjjRxB+j6kCaz2/jzEAoje4X5z/TJ2CPoqdmYFssgEq7/
4
bX2ir0VyilMqXOeL+f5JYe7Q/q2+PC29MKZnJv++5nQKH+Iss9IqF8kZ8stZfXY6
5
lOfrrkD1xZ6/PSMnuwIDAQAB
6
-----END PUBLIC KEY-----
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXE9ggBguFjDH/zGgTHPy0K3Jj
3
xO+pvrY419Sx+g8wwe6iXo1EADtloHnXef2s8Alna+pwVxyib0PiJuC7BJ1j84re
4
Zr2X8CUlvHUmDMFSNZ1S3aWE2y1bSzwNTsw/pqfM+2ICA+Im0wGGfnnaonEg2YJW
5
U+7pUNNUPlxGOtLq/QIDAQAB
6
-----END PUBLIC KEY-----

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C0EB80~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\C0EB80~1.EXE
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C0EB80~1.DLL,jS1g
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:3520

Network

    No results found
  • 23.226.132.92:443
    RUNDLL32.EXE
    156 B
    3
  • 23.106.123.249:443
    RUNDLL32.EXE
    156 B
    3
  • 108.62.141.152:443
    RUNDLL32.EXE
    156 B
    3
  • 104.144.64.163:443
    RUNDLL32.EXE
    156 B
    3
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3284-15-0x0000000004AB1000-0x000000000510F000-memory.dmp

    Filesize

    6.4MB

  • memory/3284-10-0x0000000004171000-0x0000000004528000-memory.dmp

    Filesize

    3.7MB

  • memory/3520-16-0x0000000004FF1000-0x000000000564F000-memory.dmp

    Filesize

    6.4MB

  • memory/3920-5-0x0000000000400000-0x00000000007E9000-memory.dmp

    Filesize

    3.9MB

  • memory/3920-2-0x0000000005560000-0x0000000005561000-memory.dmp

    Filesize

    4KB

  • memory/3920-3-0x0000000005190000-0x000000000555B000-memory.dmp

    Filesize

    3.8MB

  • memory/3920-4-0x0000000005560000-0x000000000593D000-memory.dmp

    Filesize

    3.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.