Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5be8da92bbff6083c03ebd4ecaabc4ed278adb79cb7db5a5e9f87e4c4bb09214

  • Size

    2.1MB

  • Sample

    231212-h73l4aacb9

  • MD5

    f3cac5103d38bba4da239b96b2942a09

  • SHA1

    8a6c58dcddffbb9f3d89d86a897ffe060ce3e394

  • SHA256

    a512e0733a49fbe9dc0d0f68c3b7c6e5437943cbb1b79b3580484ad04343174b

  • SHA512

    a72454ef4ff8f3f1c2b69b58a3822e8f0c71b34493e6370ea406af5c17b8710bfbeb189716b69c777472916ca85a605969a9b1aa7cafe3e4ad7c715287284c0b

  • SSDEEP

    49152:bfsm8BmgFl3cQ5JamIgXrT2YSst4wGjM79S0Z/fKiGZZfDGThF+e+snEH:bglPJHIgWYSst+j09rfKiGjDsk

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Targets

    • Target

      5be8da92bbff6083c03ebd4ecaabc4ed278adb79cb7db5a5e9f87e4c4bb09214

    • Size

      2.2MB

    • MD5

      eb7b0397d806590058cdf4c61f838f32

    • SHA1

      b03b8aaa57d9a924a057ee7d8c1b8ed86c4a8f06

    • SHA256

      5be8da92bbff6083c03ebd4ecaabc4ed278adb79cb7db5a5e9f87e4c4bb09214

    • SHA512

      70e8bc8a7d1858554935a07a77fd3129bac11df20691da3d6804fd36f189ed52670056a3bc6cae7fd95a0122ccc255f63480a55c53d0c96a3acb0a35baa04b2c

    • SSDEEP

      49152:Wpnm+9Bf3c65jsmEyXLB2YSctaUFP959ZfTKoEZjzNgBjgK+srO:mBfnjlEyEYSctp95zTKoEJNo

    • Detect ZGRat V1

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks