Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0x0006000000016d08-1067.dat

  • Size

    37KB

  • Sample

    231211-cy6z9scaa6

  • MD5

    6d42da649df6616ae2ab7b58f9d8384e

  • SHA1

    980b5fc1f2be7c170434a119d3357ddc80476e10

  • SHA256

    dfa9a3aa507e95b2fa3876830992e506f2fc6dbd430b43ec2f1ffaf3c1d3f1db

  • SHA512

    dcc1ed582a2b78bd606ddadaf8587078a6d2b6b1b9d6cee7f452c6c8f20bb7c01a6ff500421e7cea4fbf745d3530f57ac4869c7e4ea67b466197f22c8570f90f

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Targets

    • Target

      0x0006000000016d08-1067.dat

    • Size

      37KB

    • MD5

      6d42da649df6616ae2ab7b58f9d8384e

    • SHA1

      980b5fc1f2be7c170434a119d3357ddc80476e10

    • SHA256

      dfa9a3aa507e95b2fa3876830992e506f2fc6dbd430b43ec2f1ffaf3c1d3f1db

    • SHA512

      dcc1ed582a2b78bd606ddadaf8587078a6d2b6b1b9d6cee7f452c6c8f20bb7c01a6ff500421e7cea4fbf745d3530f57ac4869c7e4ea67b466197f22c8570f90f

    • SSDEEP

      768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks