Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7

  • Size

    230KB

  • Sample

    221019-x2891sdhhk

  • MD5

    b63164b2b5bad650747aebaae0a7ffcb

  • SHA1

    d5511ec757f50be23024ab8c8f9f756bfe661b0d

  • SHA256

    2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7

  • SHA512

    6a4a3971f4f5244474a658dcd513a1f69b639bd8ad952ed1481a13548f667524430f0f043a862699eb6c10ef774fefd170ae76e1e4d12136dba7fb36eb5ade73

  • SSDEEP

    3072:mA2Cj4CVppigS+dLc3vNHvWh5oxgYzM8JZBZ865TtLSYUzrZDuLbak:mA/M8VLc3FHvQ5XUd5Tt3UzrYLe

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes
  • embedded_hash

    56951C922035D696BFCE443750496462

  • type

    loader

Targets

    • Target

      2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7

    • Size

      230KB

    • MD5

      b63164b2b5bad650747aebaae0a7ffcb

    • SHA1

      d5511ec757f50be23024ab8c8f9f756bfe661b0d

    • SHA256

      2cf2ee2db74747868d2f966ffdaa427a78f0815ac4bfd7cb80691716bb7bc1f7

    • SHA512

      6a4a3971f4f5244474a658dcd513a1f69b639bd8ad952ed1481a13548f667524430f0f043a862699eb6c10ef774fefd170ae76e1e4d12136dba7fb36eb5ade73

    • SSDEEP

      3072:mA2Cj4CVppigS+dLc3vNHvWh5oxgYzM8JZBZ865TtLSYUzrZDuLbak:mA/M8VLc3FHvQ5XUd5Tt3UzrYLe

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks