Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b54032fc01363b6a3dc2378196c4bc4c

  • Size

    4.8MB

  • Sample

    240305-vznt7acc2w

  • MD5

    b54032fc01363b6a3dc2378196c4bc4c

  • SHA1

    c8d3b054ace51f4d59d5f774d690b92b672ac593

  • SHA256

    79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a

  • SHA512

    b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571

  • SSDEEP

    98304:yurQAZvwDAU9lMnvJ7Y1f8kPon/ox2agN1LwZ+x2vc8DHI9MdoB:yMEDflMnvmf8kPIoyN1LwEkPHI2w

Malware Config

Extracted

Family

nullmixer

C2

http://sornx.xyz/

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

40.1

Botnet

706

C2

https://eduarroma.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

pub1

C2

viacetequn.site:80

Extracted

Family

cryptbot

C2

bunhiv18.top

morkix01.top

Attributes
  • payload_url

    http://tobdol01.top/download.php?file=lv.exe

Targets

    • Target

      b54032fc01363b6a3dc2378196c4bc4c

    • Size

      4.8MB

    • MD5

      b54032fc01363b6a3dc2378196c4bc4c

    • SHA1

      c8d3b054ace51f4d59d5f774d690b92b672ac593

    • SHA256

      79d64ca8a0ebef312050fb2a06a68d246aa0acacb30764da9af8fdbc5f821d0a

    • SHA512

      b66b08e4323c430e7274c8dbb0ea75b1040d1b42191d92e7466c56900839e4f31301a058f0192ff7fc7287fd918e59c0b6d6ecdefb61d396c0c6176f91926571

    • SSDEEP

      98304:yurQAZvwDAU9lMnvJ7Y1f8kPon/ox2agN1LwZ+x2vc8DHI9MdoB:yMEDflMnvmf8kPIoyN1LwEkPHI2w

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      setup_installer.exe

    • Size

      4.8MB

    • MD5

      8e88e9762c2c7020225ef6c369f2ef0e

    • SHA1

      15eb5c3f205e19471d3e60322efbddc2e8b2792e

    • SHA256

      e847b7593382c56f6443caea1929e4657e8706a0e55deda227ab98231bde7667

    • SHA512

      3bdeebd9e7f0e1895eebd6d749e9195903fa5e9dfab620e2e50fa719878680106c1f03925cf3fdb4bebbe98b72b6350ccedba6405c03f367591a8741bf8e53da

    • SSDEEP

      98304:xRCvLUBsggNYhWYlw2Cs5llZA9PYJKmt6jFeQXhkYN3g0bM/1Tfe:x6LUCggNSlPllZAZI9t6sQ2fe

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks