Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b2acceb6014fa93a71deb38608df3d8b96ff821b7bb21f1b7a83b2f9f4ff1810

  • Size

    514KB

  • Sample

    230718-xmfddsdb82

  • MD5

    ea5d332d3d98ddfeb266bc9eb3fb2c69

  • SHA1

    0746a112f7f3a2b90d4ad74d4ac46480df3cd532

  • SHA256

    b2acceb6014fa93a71deb38608df3d8b96ff821b7bb21f1b7a83b2f9f4ff1810

  • SHA512

    e53c76dbb45f10a1038c3ecfeb9f79cf68dafa71b46498d610d89232218e01da92094b21ad7e727ab415d2ebf83ee5ee4ce7d328b18bf3b4569c7827871533db

  • SSDEEP

    12288:sMrty90UV8JaExwKsbOJNYQ52EyuoA07OX:xyTdb8NYfEg3a

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Targets

    • Target

      b2acceb6014fa93a71deb38608df3d8b96ff821b7bb21f1b7a83b2f9f4ff1810

    • Size

      514KB

    • MD5

      ea5d332d3d98ddfeb266bc9eb3fb2c69

    • SHA1

      0746a112f7f3a2b90d4ad74d4ac46480df3cd532

    • SHA256

      b2acceb6014fa93a71deb38608df3d8b96ff821b7bb21f1b7a83b2f9f4ff1810

    • SHA512

      e53c76dbb45f10a1038c3ecfeb9f79cf68dafa71b46498d610d89232218e01da92094b21ad7e727ab415d2ebf83ee5ee4ce7d328b18bf3b4569c7827871533db

    • SSDEEP

      12288:sMrty90UV8JaExwKsbOJNYQ52EyuoA07OX:xyTdb8NYfEg3a

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks