Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cad30ad3dc657a39b8e8625ed7d40ae81f4ad7808021758ddbed1990227403e9

  • Size

    206KB

  • Sample

    220909-1tt2xachcn

  • MD5

    4ba211fd0f4e87d602cc3ff2d72d5923

  • SHA1

    39961f482f6b0809a307e2656f9594c3109d16ae

  • SHA256

    cad30ad3dc657a39b8e8625ed7d40ae81f4ad7808021758ddbed1990227403e9

  • SHA512

    31a367b55bae96ff4fcd9d49a700bf74a519f072a8dffa8e716d7ce6bb8e03c19eaec3931c23d3f0745d42f6bafcc17d914180c2665bf50cdc3abae8aaa4fd14

  • SSDEEP

    3072:9z5sqyLDITrdp5z1eh/gIhUWsXmVaauUfO8hgGhNDii:vcLDITrPrIiWsXmVaanhgG7Db

Malware Config

Extracted

Family

redline

Botnet

1337

C2

78.153.144.6:2510

Attributes
  • auth_value

    b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

redline

Botnet

nam5

C2

103.89.90.61:34589

Attributes
  • auth_value

    f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

C2

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Targets

    • Target

      cad30ad3dc657a39b8e8625ed7d40ae81f4ad7808021758ddbed1990227403e9

    • Size

      206KB

    • MD5

      4ba211fd0f4e87d602cc3ff2d72d5923

    • SHA1

      39961f482f6b0809a307e2656f9594c3109d16ae

    • SHA256

      cad30ad3dc657a39b8e8625ed7d40ae81f4ad7808021758ddbed1990227403e9

    • SHA512

      31a367b55bae96ff4fcd9d49a700bf74a519f072a8dffa8e716d7ce6bb8e03c19eaec3931c23d3f0745d42f6bafcc17d914180c2665bf50cdc3abae8aaa4fd14

    • SSDEEP

      3072:9z5sqyLDITrdp5z1eh/gIhUWsXmVaauUfO8hgGhNDii:vcLDITrPrIiWsXmVaanhgG7Db

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks