Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6843e9b84284b74e34dad59595a18637937671050c786fae7847eabb4b63f8b3

  • Size

    149KB

  • Sample

    221017-cgejpaaeek

  • MD5

    b78d25bc46ad351746af259f1b629cfe

  • SHA1

    b621b03ddc95217e8fb6d069c83595223bdea0de

  • SHA256

    591bf63308311312fd34e7f3808dc2dc90c6ce499340bfd07ff770974bca9c90

  • SHA512

    354ddacd36ab4f27dfcdb8ef311dae5ffbd6ae92db7b62095e4ca7fb8b41d1db5be85bc1c0cacb6db7f39b78233f75497ae3f9d98d8bd9fce66a2c0f62b37ae3

  • SSDEEP

    3072:3UUlrls14OfhjCva2eyT8cc22Y/38Kd6+XI6Nb8OrnEvuTAGqjVZ2tA:3ZlsXlCAysm/sKc+X9b8EnEmkTjV8i

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes
  • embedded_hash

    56951C922035D696BFCE443750496462

  • type

    loader

Targets

    • Target

      6843e9b84284b74e34dad59595a18637937671050c786fae7847eabb4b63f8b3

    • Size

      225KB

    • MD5

      867f3cc3fec8eb835ce43577d208454c

    • SHA1

      441d9bfccfb833adb3ef54319c724ffda5a84c83

    • SHA256

      6843e9b84284b74e34dad59595a18637937671050c786fae7847eabb4b63f8b3

    • SHA512

      adfe4cbfc292acf289c0d4f6ef87ba90b28c7b56906020e0ae6b3cc5a27839505ee304488748d8362342903e0e1acc5ce14983ef0b3c5bb96afcf1dbef8a3295

    • SSDEEP

      3072:mUXpWwHQLpVAYpBNe5lBs1P1J1wc22Y/38KdO79m0K80ZOCWgkZWH+UuS:fPHQL7BN/Rm/sK8Zm0c92aHuS

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks