Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    77257445c8bfd8e85f679f08c60f1cec.exe

  • Size

    1.2MB

  • Sample

    231210-zqz83sdfb6

  • MD5

    77257445c8bfd8e85f679f08c60f1cec

  • SHA1

    c436a6dc8dff76bc4178b12b50ea30b8c0238ca9

  • SHA256

    f9e70f08b45a835123e4239ecf4af774377671e342f13a35ceebf9ed55260b2d

  • SHA512

    8fa5f95e137071f9c876d0f292c403efa863a82b82d9c8f5d0518b4ead0594fa1fa9d1437c8b8944db52363b8be02b578948b31395593cdfec5b042d00f4e568

  • SSDEEP

    24576:iy5Vmod4BIQF9cRWI1IzOXvX2yXoZUPxFFF+GXwzxYv:JfgIfWI1IzOXfeS5r1XMxY

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Targets

    • Target

      77257445c8bfd8e85f679f08c60f1cec.exe

    • Size

      1.2MB

    • MD5

      77257445c8bfd8e85f679f08c60f1cec

    • SHA1

      c436a6dc8dff76bc4178b12b50ea30b8c0238ca9

    • SHA256

      f9e70f08b45a835123e4239ecf4af774377671e342f13a35ceebf9ed55260b2d

    • SHA512

      8fa5f95e137071f9c876d0f292c403efa863a82b82d9c8f5d0518b4ead0594fa1fa9d1437c8b8944db52363b8be02b578948b31395593cdfec5b042d00f4e568

    • SSDEEP

      24576:iy5Vmod4BIQF9cRWI1IzOXvX2yXoZUPxFFF+GXwzxYv:JfgIfWI1IzOXfeS5r1XMxY

    • Detected google phishing page

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks