Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8
-
Size
892KB
-
Sample
231102-1gbpsshh36
-
MD5
3b7bdc8241848ba45bafc33457092717
-
SHA1
c63e739b391dfcff7c7ea1f7246f949b52ba20ca
-
SHA256
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8
-
SHA512
d5bda2f78dfdd308f65e805198db7d86c0b67b9122b95a0d4bbd29283daabc8d7418f35dcee19fa0a945749efc40a9e225d9d1cd00d142fe3a89f0f4b5f86801
-
SSDEEP
12288:WrBxfaImdYPenb2U7vqx0z2nFs3rv17pxf4phguuS8K9Xs:gSI+YPenb2U7vqun3rvPFf
Static task
static1
Behavioral task
behavioral1
Sample
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
plost
77.91.124.86:19084
Extracted
redline
kedru
77.91.124.86:19084
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Extracted
redline
pixelnew2.0
194.49.94.11:80
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8
-
Size
892KB
-
MD5
3b7bdc8241848ba45bafc33457092717
-
SHA1
c63e739b391dfcff7c7ea1f7246f949b52ba20ca
-
SHA256
4ffc73fc7c1d1cf2e3d6e9ab286d6f55f7b1f757dbc4c426e61f23b8b964a3a8
-
SHA512
d5bda2f78dfdd308f65e805198db7d86c0b67b9122b95a0d4bbd29283daabc8d7418f35dcee19fa0a945749efc40a9e225d9d1cd00d142fe3a89f0f4b5f86801
-
SSDEEP
12288:WrBxfaImdYPenb2U7vqx0z2nFs3rv17pxf4phguuS8K9Xs:gSI+YPenb2U7vqun3rvPFf
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1