Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1017df0190a029c7e386f9023af7db9771fa3806c215b7028ff8f3f278751148

  • Size

    2.2MB

  • Sample

    231211-xvx86sfcbq

  • MD5

    d2c17f2519d7ead8ee6f3ec86b92da73

  • SHA1

    77364694512d4062e4e13ed8e815cec7bb198cda

  • SHA256

    1017df0190a029c7e386f9023af7db9771fa3806c215b7028ff8f3f278751148

  • SHA512

    3a00adf2acfd07c8022ead4e41f4f61a11d2de3e1c1961af0f733d4602845d6dd926ef0559f92516afe88e4295d2e4cbe1b39ea617c31f4e95ea0f8a8dac070e

  • SSDEEP

    49152:O8pqBbpTVohed3/X/m2bYqfkewOeqmy4k3WXj/S9zklfO3gh1k5lp/V:X0BbchA3/rbYqfgTNXz60fO3l5P/V

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Targets

    • Target

      1017df0190a029c7e386f9023af7db9771fa3806c215b7028ff8f3f278751148

    • Size

      2.2MB

    • MD5

      d2c17f2519d7ead8ee6f3ec86b92da73

    • SHA1

      77364694512d4062e4e13ed8e815cec7bb198cda

    • SHA256

      1017df0190a029c7e386f9023af7db9771fa3806c215b7028ff8f3f278751148

    • SHA512

      3a00adf2acfd07c8022ead4e41f4f61a11d2de3e1c1961af0f733d4602845d6dd926ef0559f92516afe88e4295d2e4cbe1b39ea617c31f4e95ea0f8a8dac070e

    • SSDEEP

      49152:O8pqBbpTVohed3/X/m2bYqfkewOeqmy4k3WXj/S9zklfO3gh1k5lp/V:X0BbchA3/rbYqfgTNXz60fO3l5P/V

    • Detect ZGRat V1

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks