Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.zip

  • Size

    1.7MB

  • Sample

    240402-ma5seaef2t

  • MD5

    c54be69f10cca0da13ae2615cf055c05

  • SHA1

    ddbe2113a1c5eb83cfa658860ee034e1b26eaaeb

  • SHA256

    a2a6836458d1fa4c84b346f7d814d9d1846121c10b9280fc1fafd2bf53c07489

  • SHA512

    ab5ba213ae9da1035855529dd744ff10243a53a4c35673864ab17aaff8a0859d21f10842c60e1174e30d122c9fbf504da32c0f5434573faf5145833266dc9f73

  • SSDEEP

    49152:ECiThRJ0+Lm4A1kJPrBzBvuylinW1A8t6SbWTKKDTpDB:EFEs01kJPXukimA8nUBpDB

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

homed

C2

109.107.182.133:19084

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

  • url_paths

    /theme/index.php

rc4.plain

Targets

    • Target

      0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307.exe

    • Size

      1.7MB

    • MD5

      54653af9a150e18cbafede01825b269b

    • SHA1

      d923abc1efc2623ffab48aa910101ee21e3cdb22

    • SHA256

      0514395a778941a5876251dd3d81ab440011d4e8847755e68ebed2fb05ae7307

    • SHA512

      81ae62a4d0d4524f4a7730e3a24864cb9f002ea61e9a384c31bcd41f0515b1ccc2f1e873906bbac96e1a9b98818dac4ad417d96cce21fe470f215ad4ae2fd7f2

    • SSDEEP

      24576:yydIrbu/YHX2v6ptVid2Esc2mWLDdsS7K54la77nCmK0Svr80TN0oiXyMhvjzWh:ZiqY32CptUXZ1YpK54U7zGDYeSBvjz

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Mystic stealer payload

    • Modifies Windows Defender Real-time Protection settings

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks