Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c.zip

  • Size

    1.1MB

  • Sample

    240402-mbbkysef3w

  • MD5

    4fa754f19d104d5a7a086744e7d01625

  • SHA1

    a4fb0d5b3ab014f5009ea67737f7b4b3f339f860

  • SHA256

    bcd060a104ecec57b5c4d0d21833c5d56933c759f6f686512dffc7cd458bd1ba

  • SHA512

    634a0cadf033f1abb14a0fdf7eb560503bf64940bdc1b506c0fee3c85ccfcebaaa77845b0f60386778142f20169d2ab877ee3d28e69b354247d4edea08f76c10

  • SSDEEP

    24576:A4bYzD0uI6CXhwqAETndFqhs4lr4dUw1YIuev4yugFqfCeOAAPaTeMBAPIa2PwE5:A3f036CRoundM24lrsUidVv4yul7WTc9

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

supera

C2

77.91.124.82:19071

Targets

    • Target

      326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c.exe

    • Size

      1.2MB

    • MD5

      b086189007b4e0cf08063542a96a8aee

    • SHA1

      4c40dde0e25fc2ea893a54334649eff267f3186b

    • SHA256

      326288e784f015e92b191f5a9f0fa00874531b544f691f677417e5eee658033c

    • SHA512

      b0654b6d76a9084e53120e155f1f75a7bdb020be07287388e41d766d3ec91aec5cb377c731665af4ede4fe6ec6e33a158929a4d4681a877b0a1ab886c5a0d25c

    • SSDEEP

      24576:kyFXCc8RaNMhF4dPyoYp+VdSsjndO4FgOy+Tql7+4fbMi17IxD:zFR8RaehQyFp+bS0njl+lq4f

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks