Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
SecuriteInfo.com.Win32.Evo-gen.13929.5108.exe
-
Size
180KB
-
Sample
230930-d2g1zshg95
-
MD5
9fa0492f671ae03b7785f7ada9a5ba8b
-
SHA1
abb13c61df1b4304e35f97a250b3a0a36ea833c8
-
SHA256
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
SHA512
4f8f9f268af21f303199856cc125daa6eefccf85b2c117fb918c7b7823fb5bcddde2d7d7ce571b8a8c79c204f1a28e09e20140e7bb965f4e27650a80fe28b5ec
-
SSDEEP
3072:tdcnjefohKpFKK1OHg6MQ6hR66R4idQe4hhT8UW33kAqlZ0g4qqXZvYQavwNB95V:HEjKCKpFNEdN6HzRQFQUkkAhg4pZzB
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Evo-gen.13929.5108.exe
Resource
win7-20230831-en
Malware Config
Extracted
amadey
3.89
http://193.42.32.29/9bDc8sQ/index.php
-
install_dir
1ff8bec27e
-
install_file
nhdues.exe
-
strings_key
2efe1b48925e9abf268903d42284c46b
Extracted
fabookie
http://app.nnnaajjjgc.com/check/safe
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
SecuriteInfo.com.Win32.Evo-gen.13929.5108.exe
-
Size
180KB
-
MD5
9fa0492f671ae03b7785f7ada9a5ba8b
-
SHA1
abb13c61df1b4304e35f97a250b3a0a36ea833c8
-
SHA256
db606ae120306c9bca7d9b71b4fadf487c2b751fd4490365e23eb1ff4f66a2f5
-
SHA512
4f8f9f268af21f303199856cc125daa6eefccf85b2c117fb918c7b7823fb5bcddde2d7d7ce571b8a8c79c204f1a28e09e20140e7bb965f4e27650a80fe28b5ec
-
SSDEEP
3072:tdcnjefohKpFKK1OHg6MQ6hR66R4idQe4hhT8UW33kAqlZ0g4qqXZvYQavwNB95V:HEjKCKpFNEdN6HzRQFQUkkAhg4pZzB
-
Detect Fabookie payload
-
Glupteba payload
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1