Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
39888d8c3490d982398d136e9e0a4581.bin
-
Size
11.5MB
-
Sample
231010-bsnfasbg68
-
MD5
3f59a58884f81a66367f01e11b111850
-
SHA1
945c9cc26bd9543541e54a9600dc4297b9d02ad5
-
SHA256
dc7e996aa04d079773ec896adb84f82c5d92a42c65eb05a42bc98d13407d09d7
-
SHA512
5b68ab4ad0e60c1368b4a3e154666a648f5281a3c4e4a6af0668b54a6c362ef4be4c71d8b8fec4f9ce19df50263d7708d1539101377898e0c123538175b7f91e
-
SSDEEP
196608:oR3h61qAGOWAeNJx+LWHAj46l1UHSO8cpn4F8Bh8fUOoxlO8+Tt5eEnaA2pUz1TD:oRx6YJNJALWHil1KSO8cp4F8PQaxlOrr
Static task
static1
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
stealc
http://5.42.65.39
-
url_path
/bed95ea4798a5204.php
Targets
-
-
Target
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60.exe
-
Size
13.4MB
-
MD5
39888d8c3490d982398d136e9e0a4581
-
SHA1
737a7f7e308cb3a2152f296cc3a7d44d14a675d7
-
SHA256
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
-
SHA512
0e463ccd5e9e98a62426a0eba604fc0664de7b5fc87ad04fef8041c983c4b1d53e024be69c9c8a22354f9b6dae7cfcfa7f2e8e7be6d192240842c09b0ffccf14
-
SSDEEP
196608:JOmSIaIgCXUXYGU2MYWZ3mpejjiAN8Y/IuHB+q9LOKd/VT7cRRbYc:Jl7JgCkX1SZ3pniI9hZLOKd/Wz
-
Glupteba payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1