Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
906f62f32bbd2dcbc7e889a5790032e73bfab3847909a1b91873e508bef112e9
-
Size
1.4MB
-
Sample
230917-whxw7see33
-
MD5
fa2e39f0926c9393a068b41c17234108
-
SHA1
e557014f56e68416424f749332648cb45900960c
-
SHA256
906f62f32bbd2dcbc7e889a5790032e73bfab3847909a1b91873e508bef112e9
-
SHA512
7f3af6b0b60fe9ad8ec917eba2efe6f256873ddefd513a4073f67c9f093a79de06604b47d09a8736e7724af078e05ee8f2709015123446a263d0b0c3dfe97984
-
SSDEEP
24576:lE9+E9FP+/BL5hDmMPgqIexbLYS+WaTlP/G2CA7I71AB/o68dgVGsP6HJ7TiW6IU:lE99FyBL+GgVcbLuH7IpQMg3P6H5iuRg
Static task
static1
Behavioral task
behavioral1
Sample
906f62f32bbd2dcbc7e889a5790032e73bfab3847909a1b91873e508bef112e9.exe
Resource
win10v2004-20230915-en
Malware Config
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
monik
77.91.124.82:19071
-
auth_value
da7d9ea0878f5901f1f8319d34bdccea
Extracted
redline
0305
185.215.113.25:10195
-
auth_value
c86205ff1cc37b2da12f0190adfda52c
Targets
-
-
Target
906f62f32bbd2dcbc7e889a5790032e73bfab3847909a1b91873e508bef112e9
-
Size
1.4MB
-
MD5
fa2e39f0926c9393a068b41c17234108
-
SHA1
e557014f56e68416424f749332648cb45900960c
-
SHA256
906f62f32bbd2dcbc7e889a5790032e73bfab3847909a1b91873e508bef112e9
-
SHA512
7f3af6b0b60fe9ad8ec917eba2efe6f256873ddefd513a4073f67c9f093a79de06604b47d09a8736e7724af078e05ee8f2709015123446a263d0b0c3dfe97984
-
SSDEEP
24576:lE9+E9FP+/BL5hDmMPgqIexbLYS+WaTlP/G2CA7I71AB/o68dgVGsP6HJ7TiW6IU:lE99FyBL+GgVcbLuH7IpQMg3P6H5iuRg
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Fabookie payload
-
Detects Healer an antivirus disabler dropper
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1