Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    55cc830f41f9e74fbcfe2259d304c99b.bin

  • Size

    312KB

  • Sample

    240111-cyhbxacggq

  • MD5

    55cc830f41f9e74fbcfe2259d304c99b

  • SHA1

    f72fd071a6df30d6b0f145463ed4fe2f7d248e2b

  • SHA256

    e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb

  • SHA512

    293f62b48bda53c1d575636d30813cbb49865ee0d67302c001db3b1fec1de22a8fd2ae3945eca10903e15ee579e5ca22599fb8fb5a03594f593144c36c3aa131

  • SSDEEP

    3072:rjEaOZ+J2LBo0V/NqF4wDa98Egq4IlmWUkbKUGn9zSw5n2iT9BARTYFkc:rSZ/LS0xNKr+9vdlm6bKUGnZnT3Fk

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://legdfls2369.com/index.php

http://fpodsp0532xc.com/index.php

http://gucc352093520.com/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

autm

Targets

    • Target

      55cc830f41f9e74fbcfe2259d304c99b.bin

    • Size

      312KB

    • MD5

      55cc830f41f9e74fbcfe2259d304c99b

    • SHA1

      f72fd071a6df30d6b0f145463ed4fe2f7d248e2b

    • SHA256

      e6e106a5206be28f2b76c0190d3c1ba85d4f4bf759babd66c64d9a17a4219ddb

    • SHA512

      293f62b48bda53c1d575636d30813cbb49865ee0d67302c001db3b1fec1de22a8fd2ae3945eca10903e15ee579e5ca22599fb8fb5a03594f593144c36c3aa131

    • SSDEEP

      3072:rjEaOZ+J2LBo0V/NqF4wDa98Egq4IlmWUkbKUGn9zSw5n2iT9BARTYFkc:rSZ/LS0xNKr+9vdlm6bKUGnZnT3Fk

    • Detect Vidar Stealer

    • Detect ZGRat V1

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks