Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fc37998f46b30ef1ca6fbdec23032c7c6010165d00bd89ace139ba02a233e3a3

  • Size

    515KB

  • Sample

    230723-qhr33aeb58

  • MD5

    1e366d70b981c13f16e3aa60eda74fd6

  • SHA1

    966ab8651dbaf788b44b7213e1b71d3ba807e1cc

  • SHA256

    fc37998f46b30ef1ca6fbdec23032c7c6010165d00bd89ace139ba02a233e3a3

  • SHA512

    57cbd788184c52f7ba0ac523bd09afa02c4752d7d3a226d87c8d169677aaacc911c90134b77c28c79ee8c01f3fca72c7e962dd12541b31ca6c7d8310330a7397

  • SSDEEP

    12288:+MrDy90pyLMG0Mg0IBid8zWEYS0fu2QSqkVVc:lyOq0Mg0j070Tc

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Targets

    • Target

      fc37998f46b30ef1ca6fbdec23032c7c6010165d00bd89ace139ba02a233e3a3

    • Size

      515KB

    • MD5

      1e366d70b981c13f16e3aa60eda74fd6

    • SHA1

      966ab8651dbaf788b44b7213e1b71d3ba807e1cc

    • SHA256

      fc37998f46b30ef1ca6fbdec23032c7c6010165d00bd89ace139ba02a233e3a3

    • SHA512

      57cbd788184c52f7ba0ac523bd09afa02c4752d7d3a226d87c8d169677aaacc911c90134b77c28c79ee8c01f3fca72c7e962dd12541b31ca6c7d8310330a7397

    • SSDEEP

      12288:+MrDy90pyLMG0Mg0IBid8zWEYS0fu2QSqkVVc:lyOq0Mg0j070Tc

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks