Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    231KB

  • Sample

    221228-mkyf3sac22

  • MD5

    65373ca1501ea5eee86d6cfec11e0b93

  • SHA1

    2b256b6d19c48b79bec386037465dcfc6527d610

  • SHA256

    06082ff07e6a1d8c0f9fa2096e866d63fafbac246b596a600ee28c3eb6b094bf

  • SHA512

    666047807783b478d0b5132ebbf9c76f636336b8c15f1ea172482e337cf9086bedfb8bb38314f60572df34be651d5d5d26762c9c6ea98a2a1d4f625f9cb615f1

  • SSDEEP

    3072:jy8GLffxhTV5C5eyhw1w0f2TpS7xeuISMphWPtYKs/xAI99:+LnHTa5K7fMQ7k1LW1YDZ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://

s28bxcw.xyz

config.edgse.skype.com

http://89.43.107.7

Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    loader

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

amadey

Version

3.63

C2

62.204.41.165/g8sjnd3xe/index.php

Extracted

Family

gozi

Botnet

22500

C2

confisg.edge.skype.com

http://s28bxcw.xyz

http://89.43.107.7

Attributes
  • base_path

    /recycle/

  • build

    250249

  • exe_type

    worker

  • extension

    .alo

  • server_id

    50

rsa_pubkey.plain
aes.plain

Targets

    • Target

      file.exe

    • Size

      231KB

    • MD5

      65373ca1501ea5eee86d6cfec11e0b93

    • SHA1

      2b256b6d19c48b79bec386037465dcfc6527d610

    • SHA256

      06082ff07e6a1d8c0f9fa2096e866d63fafbac246b596a600ee28c3eb6b094bf

    • SHA512

      666047807783b478d0b5132ebbf9c76f636336b8c15f1ea172482e337cf9086bedfb8bb38314f60572df34be651d5d5d26762c9c6ea98a2a1d4f625f9cb615f1

    • SSDEEP

      3072:jy8GLffxhTV5C5eyhw1w0f2TpS7xeuISMphWPtYKs/xAI99:+LnHTa5K7fMQ7k1LW1YDZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks