Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    294KB

  • Sample

    231012-grs72sdd48

  • MD5

    0ad8d40baae0644d4e3d994c5a8405ac

  • SHA1

    ce9da8f3d3a618571e7c51e0dc42133e26ded313

  • SHA256

    bd1a7304c5cc386fb5b1291dc81a28c2fd6d9c6189fab48fffd31e1ddd18ddd1

  • SHA512

    e86d07ef2812cf26f2daf6b67dcff19ab05e516bddf2305507e94ca441af55e5e836e68d45602e33354c3fae88a27299f7f6a250c36fbec0d8e1f3fe4079b966

  • SSDEEP

    3072:peJCXZpXSivGjYTBxSrTRKTABujHdYoJWxg1NsyfkAhhigM+kiMg87dB:OCZtSdSxWTAJ0xgI8kShigUg8Z

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    195.85.115.195
  • Port:
    21
  • Username:
    TEST3
  • Password:
    159753

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    195.85.115.195
  • Port:
    21
  • Username:
    test
  • Password:
    test

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/

rc4.i32
rc4.i32

Targets

    • Target

      file.exe

    • Size

      294KB

    • MD5

      0ad8d40baae0644d4e3d994c5a8405ac

    • SHA1

      ce9da8f3d3a618571e7c51e0dc42133e26ded313

    • SHA256

      bd1a7304c5cc386fb5b1291dc81a28c2fd6d9c6189fab48fffd31e1ddd18ddd1

    • SHA512

      e86d07ef2812cf26f2daf6b67dcff19ab05e516bddf2305507e94ca441af55e5e836e68d45602e33354c3fae88a27299f7f6a250c36fbec0d8e1f3fe4079b966

    • SSDEEP

      3072:peJCXZpXSivGjYTBxSrTRKTABujHdYoJWxg1NsyfkAhhigM+kiMg87dB:OCZtSdSxWTAJ0xgI8kShigUg8Z

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks