Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SchoolBoy Runaway.exe

windows10-ltsc 2021-x64

Resubmissions

06/03/2025, 03:13

250306-dqq5hsxlz7 4

06/03/2025, 03:02

250306-djjrvswwb1 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SchoolBoy Runaway.exe

  • Size

    635KB

  • Sample

    250306-djjrvswwb1

  • MD5

    c66114e4978c9d4471f950928b0e2f9d

  • SHA1

    1dee05ddcbf6f449d07e5f82a8bedd5c5e5452f9

  • SHA256

    a8683d722ba537caef48839be7a454fcb9a190aaa06c092daa5e9f92686b35db

  • SHA512

    e066d1a3061b50ad0d1420c2813069d6843920e6262f9ececa35a4a066f31060c51ccb5ea2caf59e39de3f3752fdf291b7725fb01abe2d73f1324125fbe4a563

  • SSDEEP

    12288:UKQGzu2BFhnkCYEABNdL7urYP1DqcKoYRC3zC12KZvIZX:UKZkD3L7urYP1DtKoYRCQ2KZvE

Score
10/10
badrabbitdanabotmimikatzbankerbootkitbotnetdefense_evasiondiscoverymacropersistenceransomwaretrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://erpoweredent.at/3/zte.dll

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204
rsa_pubkey.plain

Targets

    • Target

      SchoolBoy Runaway.exe

    • Size

      635KB

    • MD5

      c66114e4978c9d4471f950928b0e2f9d

    • SHA1

      1dee05ddcbf6f449d07e5f82a8bedd5c5e5452f9

    • SHA256

      a8683d722ba537caef48839be7a454fcb9a190aaa06c092daa5e9f92686b35db

    • SHA512

      e066d1a3061b50ad0d1420c2813069d6843920e6262f9ececa35a4a066f31060c51ccb5ea2caf59e39de3f3752fdf291b7725fb01abe2d73f1324125fbe4a563

    • SSDEEP

      12288:UKQGzu2BFhnkCYEABNdL7urYP1DqcKoYRC3zC12KZvIZX:UKZkD3L7urYP1DtKoYRCQ2KZvE

    Score
    10/10
    badrabbitdanabotmimikatzbankerbootkitbotnetdefense_evasiondiscoverymacropersistenceransomwaretrojanxlm

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Badrabbit family

      badrabbit

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

      trojanbankerdanabot

    • Danabot family

      danabot

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

      botnet

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • Mimikatz family

      mimikatz

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • mimikatz is an open source tool to dump credentials on Windows

    • Blocklisted process makes network request

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks