Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    39888d8c3490d982398d136e9e0a4581.bin

  • Size

    11.5MB

  • Sample

    231010-bsnfasbg68

  • MD5

    3f59a58884f81a66367f01e11b111850

  • SHA1

    945c9cc26bd9543541e54a9600dc4297b9d02ad5

  • SHA256

    dc7e996aa04d079773ec896adb84f82c5d92a42c65eb05a42bc98d13407d09d7

  • SHA512

    5b68ab4ad0e60c1368b4a3e154666a648f5281a3c4e4a6af0668b54a6c362ef4be4c71d8b8fec4f9ce19df50263d7708d1539101377898e0c123538175b7f91e

  • SSDEEP

    196608:oR3h61qAGOWAeNJx+LWHAj46l1UHSO8cpn4F8Bh8fUOoxlO8+Tt5eEnaA2pUz1TD:oRx6YJNJALWHil1KSO8cp4F8PQaxlOrr

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://5.42.65.39

Attributes
  • url_path

    /bed95ea4798a5204.php

rc4.plain

Targets

    • Target

      b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60.exe

    • Size

      13.4MB

    • MD5

      39888d8c3490d982398d136e9e0a4581

    • SHA1

      737a7f7e308cb3a2152f296cc3a7d44d14a675d7

    • SHA256

      b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60

    • SHA512

      0e463ccd5e9e98a62426a0eba604fc0664de7b5fc87ad04fef8041c983c4b1d53e024be69c9c8a22354f9b6dae7cfcfa7f2e8e7be6d192240842c09b0ffccf14

    • SSDEEP

      196608:JOmSIaIgCXUXYGU2MYWZ3mpejjiAN8Y/IuHB+q9LOKd/VT7cRRbYc:Jl7JgCkX1SZ3pniI9hZLOKd/Wz

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks