Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0c9229e2a4bbdbf3bdd91b7d4ac4fc5d.bin

  • Size

    328KB

  • Sample

    231211-bgxjtsacf3

  • MD5

    a5c67bd612e53c7e8435f1f6f7d64d30

  • SHA1

    de890bb5bedf3d0fad67710848c8fde112f09b95

  • SHA256

    32611a4c0d77ffdc86c434828e7e9275b6d65323b4b82aab9ca915e88b76e111

  • SHA512

    d9c19cd1ee0a33a71f41138baef05ac817cf1e21b7c0914567d81d53dbcc08c68d82938f9b11ce2905f472faf3aff2edccdbe96fe5eacdf7205c1e23f234c4ad

  • SSDEEP

    6144:6Yh/yFpVvpJKTUGG566y8mPTimAQC2Zr6YUuynmN7zXZR6CrvHegXgJWGLYyc:rqfnp5ezTimZrK1nmNpvegXgJ7zc

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      ff99fd8d3c6207711c6ec61de4b491963b1931db0fbd75ea3b4e30f5df482c2b.exe

    • Size

      921KB

    • MD5

      0c9229e2a4bbdbf3bdd91b7d4ac4fc5d

    • SHA1

      53f8ddf64222e39ef7bbd9d8a9ef9ce574e29236

    • SHA256

      ff99fd8d3c6207711c6ec61de4b491963b1931db0fbd75ea3b4e30f5df482c2b

    • SHA512

      63e4fbf2e63059a33b6c95d86e7f2fc44048f4d45751a7ad53f922416c8dc85d3d97b5d9a955a6153e0163c0d25bae1b2d7c07cad194db68ebe4405fa6b576f7

    • SSDEEP

      12288:pN50r3mvLhHGfGwjWG4mgkKmWeYk9KSMTVSmTckxcCulrZ4Ait:far3OhHGfGwjWG4mesYkY1BSmvcUt

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks