Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    235KB

  • Sample

    221216-nhpxlahd7v

  • MD5

    6a70c8ff0b09cc809fa362398e18b3c2

  • SHA1

    77011a9774d30c2aa71777ef756b217442d57564

  • SHA256

    f331a3b1ab03bd227de9722bfc16dfaf0bdf8a692995ebc868c711c08f664b9c

  • SHA512

    87f3a3fd21850d3175ef9af86f6e7a4cf2d5fad410726a48d6a12bce0e80f9dc423e7b9a388a3341386aaae39479902fd0e41c133707d9ffd2fbbc363b09e139

  • SSDEEP

    6144:eLhyLd3BRfc5wE2BO4IQGkRQmFstTtTHX8qMrc:eLhyFPQwLE4I1kjFsPT38n

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Targets

    • Target

      file.exe

    • Size

      235KB

    • MD5

      6a70c8ff0b09cc809fa362398e18b3c2

    • SHA1

      77011a9774d30c2aa71777ef756b217442d57564

    • SHA256

      f331a3b1ab03bd227de9722bfc16dfaf0bdf8a692995ebc868c711c08f664b9c

    • SHA512

      87f3a3fd21850d3175ef9af86f6e7a4cf2d5fad410726a48d6a12bce0e80f9dc423e7b9a388a3341386aaae39479902fd0e41c133707d9ffd2fbbc363b09e139

    • SSDEEP

      6144:eLhyLd3BRfc5wE2BO4IQGkRQmFstTtTHX8qMrc:eLhyFPQwLE4I1kjFsPT38n

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks