Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    200acc7cade28c0ab7ef52a77ab521a4e9df8ddc405c55b662c9b769807f924f

  • Size

    515KB

  • Sample

    230717-ffhfqsah9t

  • MD5

    35c16b26a33d8a3ce6fb2dc6785170b2

  • SHA1

    4a172a01acb1250250c6c160fae2ed0bd66efd7c

  • SHA256

    200acc7cade28c0ab7ef52a77ab521a4e9df8ddc405c55b662c9b769807f924f

  • SHA512

    e4cfa6f682961bf43c06651c093ca91178c01985cd913655af54034a82e7fbf7aef722631ffaa3e6ace33707b4d17dc02a9958c6fe460c9350a1b5e590f383a4

  • SSDEEP

    6144:Kky+bnr+np0yN90QEx2WqjxCR8ykZWNvc3QksRyipApriITZfsAYcxmirp7BcLQ6:wMrfy90K7s8yk0NOr56BwdV7yLsJs

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

zahar

C2

77.91.68.56:19071

Attributes
  • auth_value

    94c55a31fcf1761f07eeb4a0c6fb74fa

Targets

    • Target

      200acc7cade28c0ab7ef52a77ab521a4e9df8ddc405c55b662c9b769807f924f

    • Size

      515KB

    • MD5

      35c16b26a33d8a3ce6fb2dc6785170b2

    • SHA1

      4a172a01acb1250250c6c160fae2ed0bd66efd7c

    • SHA256

      200acc7cade28c0ab7ef52a77ab521a4e9df8ddc405c55b662c9b769807f924f

    • SHA512

      e4cfa6f682961bf43c06651c093ca91178c01985cd913655af54034a82e7fbf7aef722631ffaa3e6ace33707b4d17dc02a9958c6fe460c9350a1b5e590f383a4

    • SSDEEP

      6144:Kky+bnr+np0yN90QEx2WqjxCR8ykZWNvc3QksRyipApriITZfsAYcxmirp7BcLQ6:wMrfy90K7s8yk0NOr56BwdV7yLsJs

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks