Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cef823e614c07e8813c9e32db81d8dc6a20d00a3e55aca97a6a5c340aa6e5d1c

  • Size

    1012KB

  • Sample

    231001-vt2tvsdf66

  • MD5

    d1906fd8d9e6b18ee8a134e81982e23a

  • SHA1

    3420d976f980b963fec140739f0eaef07c7333e3

  • SHA256

    cef823e614c07e8813c9e32db81d8dc6a20d00a3e55aca97a6a5c340aa6e5d1c

  • SHA512

    c291d08ce4275882bcd8029288073a48837d62471bd093621f16624d75e425891f8ece38d3469a2b05dbc195123e6e643f103e035f2ea5ab6302c07a13717045

  • SSDEEP

    24576:4s9rN9YwPzIFbDslb50xVwJF5Jq9HnyKLW2U08U/7zgesADyI:t9rNWwbeP9wsnC0Z70esADyI

Malware Config

Extracted

Family

redline

Botnet

edward

C2

193.58.147.147:39834

Attributes
  • auth_value

    446f634e82d0b4e53079f0a26b8c33a8

Extracted

Family

smokeloader

Botnet

rlol

Extracted

Family

smokeloader

Version

2020

C2

http://akmedia.in/js/k/index.php

http://bethesdaserukam.org/setting/k/index.php

http://stemschools.in/js/k/index.php

http://dejarestaurant.com/wp-admin/js/k/index.php

http://moabscript.ir/wp-admin/js/k/index.php

http://nicehybridseeds.com/image/catalog/k/index.php

http://imaker.io/picktail/js/k/index.php

http://nanavatisworld.com/assets/js/k/index.php

http://smartbubox.com/img/k/index.php

http://krigenpharmaceuticals.com/js/k/index.php

rc4.i32
rc4.i32

Targets

    • Target

      cef823e614c07e8813c9e32db81d8dc6a20d00a3e55aca97a6a5c340aa6e5d1c

    • Size

      1012KB

    • MD5

      d1906fd8d9e6b18ee8a134e81982e23a

    • SHA1

      3420d976f980b963fec140739f0eaef07c7333e3

    • SHA256

      cef823e614c07e8813c9e32db81d8dc6a20d00a3e55aca97a6a5c340aa6e5d1c

    • SHA512

      c291d08ce4275882bcd8029288073a48837d62471bd093621f16624d75e425891f8ece38d3469a2b05dbc195123e6e643f103e035f2ea5ab6302c07a13717045

    • SSDEEP

      24576:4s9rN9YwPzIFbDslb50xVwJF5Jq9HnyKLW2U08U/7zgesADyI:t9rNWwbeP9wsnC0Z70esADyI

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks