Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c23548d89eabc21fc0e03cac1c52cceefb7cd0619a1372e7660ba160258b8004

  • Size

    515KB

  • Sample

    230721-dgckrscd6y

  • MD5

    1eaccf31d013c20ac52a39a2e3b7cfac

  • SHA1

    381de7d79a8ab9bb89b6eee2d8916516cb1c73c6

  • SHA256

    c23548d89eabc21fc0e03cac1c52cceefb7cd0619a1372e7660ba160258b8004

  • SHA512

    5ec7973a6595312bb8bcfa56cf24bd04e62288408b7add84b3b752ede0d5bc2420a31a0c8a337354f25b5f0aa300d86d194f17aa2582d377bca33a4de5548c0b

  • SSDEEP

    12288:JMrwy90sT6k73Lwi3qbhEu/+PmDPOnOZULdxE:pyjgZedPmPf

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Targets

    • Target

      c23548d89eabc21fc0e03cac1c52cceefb7cd0619a1372e7660ba160258b8004

    • Size

      515KB

    • MD5

      1eaccf31d013c20ac52a39a2e3b7cfac

    • SHA1

      381de7d79a8ab9bb89b6eee2d8916516cb1c73c6

    • SHA256

      c23548d89eabc21fc0e03cac1c52cceefb7cd0619a1372e7660ba160258b8004

    • SHA512

      5ec7973a6595312bb8bcfa56cf24bd04e62288408b7add84b3b752ede0d5bc2420a31a0c8a337354f25b5f0aa300d86d194f17aa2582d377bca33a4de5548c0b

    • SSDEEP

      12288:JMrwy90sT6k73Lwi3qbhEu/+PmDPOnOZULdxE:pyjgZedPmPf

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks