Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RFQ# RE-2301707.xls

  • Size

    1.2MB

  • Sample

    230721-gqbllsch51

  • MD5

    b9b21e99991c542b6c2298548c004f28

  • SHA1

    09ab1bbc0baff1fee59e5409303297d9d2e80c47

  • SHA256

    ceeb7b4c98464f0429796c743d1c78e2d18c331c4e7c87448440726b7531e1d1

  • SHA512

    a9693452c08a496ec9063500d328d0772b45fc4b688557497593cda36cc291d760b70af3fce5b308d73ecc227f0ae0408365b3177e3185337624c2e226028713

  • SSDEEP

    24576:90nKZyUw6Vtln+Zykw6VINX0wI6XiHP5n2wyL/gGD1p3H:90U06Vtlok6V+X35iPdxe/gON

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/

rc4.i32
rc4.i32

Targets

    • Target

      RFQ# RE-2301707.xls

    • Size

      1.2MB

    • MD5

      b9b21e99991c542b6c2298548c004f28

    • SHA1

      09ab1bbc0baff1fee59e5409303297d9d2e80c47

    • SHA256

      ceeb7b4c98464f0429796c743d1c78e2d18c331c4e7c87448440726b7531e1d1

    • SHA512

      a9693452c08a496ec9063500d328d0772b45fc4b688557497593cda36cc291d760b70af3fce5b308d73ecc227f0ae0408365b3177e3185337624c2e226028713

    • SSDEEP

      24576:90nKZyUw6Vtln+Zykw6VINX0wI6XiHP5n2wyL/gGD1p3H:90U06Vtlok6V+X35iPdxe/gON

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks