Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e

  • Size

    258KB

  • Sample

    230303-qvjx8ahb3v

  • MD5

    8c2506fef155bd72ee5100610aebc9e4

  • SHA1

    13067fec38a031c3eb365e96a797768c1249bf96

  • SHA256

    4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e

  • SHA512

    79d15edbec81dbce468bccb286fec0b35c2eec84182c5052dde3679091dcab4aaa50dd54c72f84fdee0dd7b31d88279a09317fe82b27292268ae2609a1105925

  • SSDEEP

    3072:e4C5oq7lwHUZZu0Po6gtmNqs8OGWHGij/Moxr0KSlkMsg67IaOqcnD53pjAXPSQo:D4ocuU7u0Po6gRw7HGQCmOqcDzj

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

rosto

C2

hueref.eu:4162

Attributes
  • auth_value

    07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

amadey

Version

3.68

C2

193.233.20.25/buH5N004d/index.php

Targets

    • Target

      4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e

    • Size

      258KB

    • MD5

      8c2506fef155bd72ee5100610aebc9e4

    • SHA1

      13067fec38a031c3eb365e96a797768c1249bf96

    • SHA256

      4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e

    • SHA512

      79d15edbec81dbce468bccb286fec0b35c2eec84182c5052dde3679091dcab4aaa50dd54c72f84fdee0dd7b31d88279a09317fe82b27292268ae2609a1105925

    • SSDEEP

      3072:e4C5oq7lwHUZZu0Po6gtmNqs8OGWHGij/Moxr0KSlkMsg67IaOqcnD53pjAXPSQo:D4ocuU7u0Po6gRw7HGQCmOqcDzj

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks