Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1c6d60fede9969f15a55889eb4fa5877131a0aab4054c904e98ae76467840acb

  • Size

    1.5MB

  • Sample

    231103-m3cmbsbb28

  • MD5

    12ba94227d9d4b39c6c56d0b2e955251

  • SHA1

    5fdae68c8a33b5ccb5fb74ad1788e5690fe1c6d3

  • SHA256

    1c6d60fede9969f15a55889eb4fa5877131a0aab4054c904e98ae76467840acb

  • SHA512

    4b692dbc8b61f82658d98bbd70656a6818888f6d17192bb93716e1ee1e176ba4785d59ce0e9b1a39f7a0b6d402472bb55e44017ff5ac5b15bdb3eab4fa0406dd

  • SSDEEP

    24576:CygpsPWIwG3iW2pFPqFQv8qPFxfrp6RRo7EUF3Mudn4m+j0eFgT3iu:pgVIwHPUm5frEPoEO1wq3i

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Targets

    • Target

      1c6d60fede9969f15a55889eb4fa5877131a0aab4054c904e98ae76467840acb

    • Size

      1.5MB

    • MD5

      12ba94227d9d4b39c6c56d0b2e955251

    • SHA1

      5fdae68c8a33b5ccb5fb74ad1788e5690fe1c6d3

    • SHA256

      1c6d60fede9969f15a55889eb4fa5877131a0aab4054c904e98ae76467840acb

    • SHA512

      4b692dbc8b61f82658d98bbd70656a6818888f6d17192bb93716e1ee1e176ba4785d59ce0e9b1a39f7a0b6d402472bb55e44017ff5ac5b15bdb3eab4fa0406dd

    • SSDEEP

      24576:CygpsPWIwG3iW2pFPqFQv8qPFxfrp6RRo7EUF3Mudn4m+j0eFgT3iu:pgVIwHPUm5frEPoEO1wq3i

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detected google phishing page

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks