Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
3447abb6f79dd3586dc2061d74f6349e.exe
-
Size
216KB
-
Sample
240201-kbamjshdcp
-
MD5
3447abb6f79dd3586dc2061d74f6349e
-
SHA1
ec4044da2d08062cd7106652f0775081027d1328
-
SHA256
fe7d9554cc3d372a10d8b402d1860101c23b02d056117c72dbdd63af3b6963d1
-
SHA512
b5644239474430dcc97432ce110904f45e831af5aad02e9ba452e1c3cce9eb72f6019d3821d6651364fbb04bed0624cb4af75cedefd1461f404e067711a93191
-
SSDEEP
3072:SLAVkKKz6bqDSyfpTzTBfK2baJ8D2tFXjWlt6nEZDvMCkgMXEfpF:SL12QfxxK2WaDGWlt60vagMXI
Static task
static1
Behavioral task
behavioral1
Sample
3447abb6f79dd3586dc2061d74f6349e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3447abb6f79dd3586dc2061d74f6349e.exe
Resource
win10v2004-20231222-en
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Targets
-
-
Target
3447abb6f79dd3586dc2061d74f6349e.exe
-
Size
216KB
-
MD5
3447abb6f79dd3586dc2061d74f6349e
-
SHA1
ec4044da2d08062cd7106652f0775081027d1328
-
SHA256
fe7d9554cc3d372a10d8b402d1860101c23b02d056117c72dbdd63af3b6963d1
-
SHA512
b5644239474430dcc97432ce110904f45e831af5aad02e9ba452e1c3cce9eb72f6019d3821d6651364fbb04bed0624cb4af75cedefd1461f404e067711a93191
-
SSDEEP
3072:SLAVkKKz6bqDSyfpTzTBfK2baJ8D2tFXjWlt6nEZDvMCkgMXEfpF:SL12QfxxK2WaDGWlt60vagMXI
-
Detect Socks5Systemz Payload
-
Glupteba payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Pre-OS Boot
1Bootkit
1