Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    00e9599c66f1be29e536826de5211e51a928d8aa0432aa6eedb85e33a39f6407

  • Size

    340KB

  • Sample

    230508-ykh7yace25

  • MD5

    f254383b87701064f4cb4a71572f2932

  • SHA1

    79cec40c929bdbf0082eafe8f22b1034c961f680

  • SHA256

    00e9599c66f1be29e536826de5211e51a928d8aa0432aa6eedb85e33a39f6407

  • SHA512

    f60e3ddda233cf34944e2f04aa1fdd1d221a4e1dcabb8c4a42586237d15e12acddde040ef1424a3661c7c115b1d3bb479277517fd69e9075836549f92c07c903

  • SSDEEP

    3072:dzd6puir2fSlFK+A/GkaNrAAAh/FZDGPNKa7ixJ235KRVtivpKkEVx4m0L:dGuJ+DAu1mPh9hGP7sAJqtkKl

Score
10/10
redlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)sprgbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

217.182.15.146:7357

Attributes
  • auth_value

    c2955ed3813a798683a185a82e949f88

Targets

    • Target

      00e9599c66f1be29e536826de5211e51a928d8aa0432aa6eedb85e33a39f6407

    • Size

      340KB

    • MD5

      f254383b87701064f4cb4a71572f2932

    • SHA1

      79cec40c929bdbf0082eafe8f22b1034c961f680

    • SHA256

      00e9599c66f1be29e536826de5211e51a928d8aa0432aa6eedb85e33a39f6407

    • SHA512

      f60e3ddda233cf34944e2f04aa1fdd1d221a4e1dcabb8c4a42586237d15e12acddde040ef1424a3661c7c115b1d3bb479277517fd69e9075836549f92c07c903

    • SSDEEP

      3072:dzd6puir2fSlFK+A/GkaNrAAAh/FZDGPNKa7ixJ235KRVtivpKkEVx4m0L:dGuJ+DAu1mPh9hGP7sAJqtkKl

    Score
    10/10
    redlinesmokeloaderlogsdiller cloud (telegram: @logsdillabot)sprgbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks