Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc

  • Size

    1.2MB

  • Sample

    231113-z1rdxsfe69

  • MD5

    595af3edb05a483f7ba68ecbc9482009

  • SHA1

    32570d9e657664e354a49d95745f4fd377b9756f

  • SHA256

    ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc

  • SHA512

    85fa4dac2260da9a29ab73d2170e56150b9ff3fd09bbc82c79c07460d9186f1b3088e207c8281594f6dc9c5016c94d8097121314a22c68030154ff6b33778c6c

  • SSDEEP

    24576:8yoMYdDaFarOp8xRXcEmK8mzat6B2ch1oZHvsgHOhvpA9LKdWe0h+vE:ron5aFa28xRxP1+i2c+zOhSQtJ

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

C2

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Targets

    • Target

      ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc

    • Size

      1.2MB

    • MD5

      595af3edb05a483f7ba68ecbc9482009

    • SHA1

      32570d9e657664e354a49d95745f4fd377b9756f

    • SHA256

      ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc

    • SHA512

      85fa4dac2260da9a29ab73d2170e56150b9ff3fd09bbc82c79c07460d9186f1b3088e207c8281594f6dc9c5016c94d8097121314a22c68030154ff6b33778c6c

    • SSDEEP

      24576:8yoMYdDaFarOp8xRXcEmK8mzat6B2ch1oZHvsgHOhvpA9LKdWe0h+vE:ron5aFa28xRxP1+i2c+zOhSQtJ

    • Detect Mystic stealer payload

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks