Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    34345932aedcb3039d80b302c34c7d18233e3b5b5aed48aef4e8dbd758c36ae4

  • Size

    1.7MB

  • Sample

    231103-p3x95sae7v

  • MD5

    d403d303b0bf09af922e7bdc0afce378

  • SHA1

    8c4bcb4f635ef37eec6ca99aa4d5cd8c181fea32

  • SHA256

    34345932aedcb3039d80b302c34c7d18233e3b5b5aed48aef4e8dbd758c36ae4

  • SHA512

    c9d07b1f48f0d39dee7068fdf208f01f701e71d118198b08e35e6f721786ae69cefccf06b67e790b19d33ec905cfcbb986311d7dadefd849f6adf81e82bd0bb8

  • SSDEEP

    24576:zina0rGPjHIsS8XXwxifpzW6a9Dhvh15Ylzs:zDjHIsS8bftW6a3vGG

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

plost

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

C2

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

C2

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      34345932aedcb3039d80b302c34c7d18233e3b5b5aed48aef4e8dbd758c36ae4

    • Size

      1.7MB

    • MD5

      d403d303b0bf09af922e7bdc0afce378

    • SHA1

      8c4bcb4f635ef37eec6ca99aa4d5cd8c181fea32

    • SHA256

      34345932aedcb3039d80b302c34c7d18233e3b5b5aed48aef4e8dbd758c36ae4

    • SHA512

      c9d07b1f48f0d39dee7068fdf208f01f701e71d118198b08e35e6f721786ae69cefccf06b67e790b19d33ec905cfcbb986311d7dadefd849f6adf81e82bd0bb8

    • SSDEEP

      24576:zina0rGPjHIsS8XXwxifpzW6a9Dhvh15Ylzs:zDjHIsS8bftW6a3vGG

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks