Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bd69802d17c0495539e31d37cad0cbb9

  • Size

    3.4MB

  • Sample

    240310-cr1jxahf87

  • MD5

    bd69802d17c0495539e31d37cad0cbb9

  • SHA1

    5f162b385ea318e517a266af1f92a56e3b561eb0

  • SHA256

    bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32

  • SHA512

    4d42aec63f043e0e1f930a5c570de0d6c5f9be1f56caf99f5b7246d81bd7251b3030b9466195010f6dc020cf4d85fb9dbc17657941c09526a8475ca1cfe187ea

  • SSDEEP

    98304:y8s9pUMEDVqWVZ5aa3X4rCkCVIfORksx0H:yhUTXVdX42kAyLt

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

redline

Botnet

pab3

C2

185.215.113.15:61506

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32
rc4.i32

Extracted

Family

cryptbot

C2

knudqw18.top

morzku01.top

Attributes
  • payload_url

    http://saryek01.top/download.php?file=lv.exe

Targets

    • Target

      bd69802d17c0495539e31d37cad0cbb9

    • Size

      3.4MB

    • MD5

      bd69802d17c0495539e31d37cad0cbb9

    • SHA1

      5f162b385ea318e517a266af1f92a56e3b561eb0

    • SHA256

      bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32

    • SHA512

      4d42aec63f043e0e1f930a5c570de0d6c5f9be1f56caf99f5b7246d81bd7251b3030b9466195010f6dc020cf4d85fb9dbc17657941c09526a8475ca1cfe187ea

    • SSDEEP

      98304:y8s9pUMEDVqWVZ5aa3X4rCkCVIfORksx0H:yhUTXVdX42kAyLt

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      setup_installer.exe

    • Size

      3.4MB

    • MD5

      15eb5a44613074dee64d6f25eceb66be

    • SHA1

      a414befb2fdf6c508d4936f723f8b142828b2b16

    • SHA256

      57f10efc739ec361aebc5282037d8013f39991d2f87ab144dd16e3cd63ed6999

    • SHA512

      e749bfd0ccb846547bf2759b6c39515caded7103fb5197059f60321ba26dfc367f9e69f2b7f889173b330ee5342ff94a4b6aec69aee9cedf9eb040dbbafc27a4

    • SSDEEP

      98304:xwCvLUBsgQPoIXHs02aorqdKmUzKDwXQXKV9fV:xNLUCgeoIXM0R3nUz8wrPfV

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks