Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dbbaf504fb9943cde9343d3b4d78a57aa123d4ea171ffb57d3278ffb2fd3b521

  • Size

    304KB

  • Sample

    220911-eer34sefhj

  • MD5

    c8360105d427531678193ad865233da7

  • SHA1

    ba5dd8fb2b9dbd4651f1649e28b35a80b76f89d9

  • SHA256

    dbbaf504fb9943cde9343d3b4d78a57aa123d4ea171ffb57d3278ffb2fd3b521

  • SHA512

    1879861c96ef6dcd872b8657adbab932a6286bd2ad37e1658608e0cf704f9ad4b4bc8c95892d6ba0bfde427de67d324a208f23216fd406d658f6644f5ea5b7c0

  • SSDEEP

    6144:/vU38NacD6CJjeXnCCK5Ke2duCdOsoeEGkwExJU9bN0VF:/4bcD1JjeXnCtKekOdYrErQB0

Malware Config

Extracted

Family

raccoon

Botnet

1adeb438cd8ab2abb4349e0ca6853b53

C2

http://94.131.106.225

http://188.119.112.93/

http://94.131.106.224

rc4.plain

Targets

    • Target

      dbbaf504fb9943cde9343d3b4d78a57aa123d4ea171ffb57d3278ffb2fd3b521

    • Size

      304KB

    • MD5

      c8360105d427531678193ad865233da7

    • SHA1

      ba5dd8fb2b9dbd4651f1649e28b35a80b76f89d9

    • SHA256

      dbbaf504fb9943cde9343d3b4d78a57aa123d4ea171ffb57d3278ffb2fd3b521

    • SHA512

      1879861c96ef6dcd872b8657adbab932a6286bd2ad37e1658608e0cf704f9ad4b4bc8c95892d6ba0bfde427de67d324a208f23216fd406d658f6644f5ea5b7c0

    • SSDEEP

      6144:/vU38NacD6CJjeXnCCK5Ke2duCdOsoeEGkwExJU9bN0VF:/4bcD1JjeXnCtKekOdYrErQB0

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks