Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7fbdbf852d130b527d0d9e2524a4efdf2c059b12b34f13f293f5239c6e25e7e9

  • Size

    1.3MB

  • Sample

    230921-hqw3zsga86

  • MD5

    7841ca8d0e1711f38fd8c487cd5ffb65

  • SHA1

    1016e65187b39496dd3e9e8c0de81e0823421fb6

  • SHA256

    7fbdbf852d130b527d0d9e2524a4efdf2c059b12b34f13f293f5239c6e25e7e9

  • SHA512

    bd4fdd32a276f006a64228d43e91a57204bf1d09bec93e98434f85991858418e445843edcc87d9e4faa2831ea1e8cc92505d3fa979a5aedd0f7540f3f9378de7

  • SSDEEP

    24576:jyasDtLpOcRK2+L6n8c1gO6sCVSGgHKDsDC5bJQOVsPkjLd9uS6TuKF6TS:2hFJ+uN1PQVSGgH2RrQOiP45bs9

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Targets

    • Target

      7fbdbf852d130b527d0d9e2524a4efdf2c059b12b34f13f293f5239c6e25e7e9

    • Size

      1.3MB

    • MD5

      7841ca8d0e1711f38fd8c487cd5ffb65

    • SHA1

      1016e65187b39496dd3e9e8c0de81e0823421fb6

    • SHA256

      7fbdbf852d130b527d0d9e2524a4efdf2c059b12b34f13f293f5239c6e25e7e9

    • SHA512

      bd4fdd32a276f006a64228d43e91a57204bf1d09bec93e98434f85991858418e445843edcc87d9e4faa2831ea1e8cc92505d3fa979a5aedd0f7540f3f9378de7

    • SSDEEP

      24576:jyasDtLpOcRK2+L6n8c1gO6sCVSGgHKDsDC5bJQOVsPkjLd9uS6TuKF6TS:2hFJ+uN1PQVSGgH2RrQOiP45bs9

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks