Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    290KB

  • Sample

    220908-n9qyzabfgp

  • MD5

    60e040fb9d158f64855ada283f365993

  • SHA1

    359544fbbea7e11c5fc87e98aa7a1c4a280d75bb

  • SHA256

    278112b324b4baf0de15924dd94225df2579d2e5e23a16a270c11e55e5f7384f

  • SHA512

    d4e9270050b7704ce5e921f8840e09e4a589e70f019648aca8463ce4d449b2f67c3fd77d9cbd8b866162378d33b87f7f958d8597bd95cb9d2c018b88254a1ba1

  • SSDEEP

    6144:UhnkXDKb2qlouDXCLVUOuxZRS0ohly5myleAWLYluevu9pNw9:LXE2qlouWOOuxZwM5mydcY4em97

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://microsoftdownload.ddns.net:8808/downloader/WinSecurityUpdate

Extracted

Family

redline

Botnet

mario_new

C2

176.122.23.55:11768

Attributes
  • auth_value

    eeee8d5fcc3ba3a42094ef260c5bdcb4

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dhfry901/

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Targets

    • Target

      file.exe

    • Size

      290KB

    • MD5

      60e040fb9d158f64855ada283f365993

    • SHA1

      359544fbbea7e11c5fc87e98aa7a1c4a280d75bb

    • SHA256

      278112b324b4baf0de15924dd94225df2579d2e5e23a16a270c11e55e5f7384f

    • SHA512

      d4e9270050b7704ce5e921f8840e09e4a589e70f019648aca8463ce4d449b2f67c3fd77d9cbd8b866162378d33b87f7f958d8597bd95cb9d2c018b88254a1ba1

    • SSDEEP

      6144:UhnkXDKb2qlouDXCLVUOuxZRS0ohly5myleAWLYluevu9pNw9:LXE2qlouWOOuxZwM5mydcY4em97

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detects Smokeloader packer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks