Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    BB11B196D32DF32F5DC5F41447031A54168ADFA66BA4F828F988E58260DB48E0

  • Size

    1.9MB

  • Sample

    220920-gnhbdaffeq

  • MD5

    b80d607c42e36d7ef5ad0609263180f1

  • SHA1

    c73593f3aba0038949b55388a38e09f734e907ec

  • SHA256

    bb11b196d32df32f5dc5f41447031a54168adfa66ba4f828f988e58260db48e0

  • SHA512

    52ef56b38a5ffac9df27801008f2acfdf0da296c826e1af016b5e57c40cc4f7a1ba1b4157667a4f1e55592aa31a0b3b1cddc0650fb415787d685003257e9ab1b

  • SSDEEP

    24576:unbMx0o7kyBNdZBPMHObIi74MUGcKio3rLaGkLGoG8GhIGGQNC6CmTQWPLId+2GC:unKk4EHAIZdArLaGkraKlC9CAeats

Malware Config

Extracted

Family

danabot

C2

23.254.226.20:443

198.15.112.179:443

66.85.147.23:443

Attributes
  • embedded_hash

    8AA34A6CD5B6C9D509DB2C72E1AE6D88

  • type

    loader

Targets

    • Target

      BB11B196D32DF32F5DC5F41447031A54168ADFA66BA4F828F988E58260DB48E0

    • Size

      1.9MB

    • MD5

      b80d607c42e36d7ef5ad0609263180f1

    • SHA1

      c73593f3aba0038949b55388a38e09f734e907ec

    • SHA256

      bb11b196d32df32f5dc5f41447031a54168adfa66ba4f828f988e58260db48e0

    • SHA512

      52ef56b38a5ffac9df27801008f2acfdf0da296c826e1af016b5e57c40cc4f7a1ba1b4157667a4f1e55592aa31a0b3b1cddc0650fb415787d685003257e9ab1b

    • SSDEEP

      24576:unbMx0o7kyBNdZBPMHObIi74MUGcKio3rLaGkLGoG8GhIGGQNC6CmTQWPLId+2GC:unKk4EHAIZdArLaGkraKlC9CAeats

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Modifies visibility of file extensions in Explorer

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks