Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
file.exe
-
Size
1.4MB
-
Sample
230920-vypebshf81
-
MD5
748b2d86b4a88da177bd92331e79986e
-
SHA1
3971c0981eacb1c7d6efec7617eeb7097f6d3d98
-
SHA256
9ed376f6a207601c6cd314a0475feca5ba4b0ff3077b048a8eeaac0aab30d4ac
-
SHA512
e4d0693553b9dd49bfaea7b5f619124c0fe1d743a6df9475dc54ed5874f5cf1eb422e6bea41cb89d77b4258856766908f32832eca8d25e3d52562110a7000901
-
SSDEEP
24576:UyMrGd44yJPRGgqOy0v2uO3RLBYVVqyp0b9z7dZS+0ESDdnOdCXVKWiwT8HHnrn:jMrGQRGghU3Avqq0Z3/iESpnOdGrYnrc
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
fabookie
http://app.nnnaajjjgc.com/check/safe
Targets
-
-
Target
file.exe
-
Size
1.4MB
-
MD5
748b2d86b4a88da177bd92331e79986e
-
SHA1
3971c0981eacb1c7d6efec7617eeb7097f6d3d98
-
SHA256
9ed376f6a207601c6cd314a0475feca5ba4b0ff3077b048a8eeaac0aab30d4ac
-
SHA512
e4d0693553b9dd49bfaea7b5f619124c0fe1d743a6df9475dc54ed5874f5cf1eb422e6bea41cb89d77b4258856766908f32832eca8d25e3d52562110a7000901
-
SSDEEP
24576:UyMrGd44yJPRGgqOy0v2uO3RLBYVVqyp0b9z7dZS+0ESDdnOdCXVKWiwT8HHnrn:jMrGQRGghU3Avqq0Z3/iESpnOdGrYnrc
-
Detect Fabookie payload
-
Detects Healer an antivirus disabler dropper
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Scripting
1