Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    150e9ffdac7f2361c2efa735929aa268.exe

  • Size

    776KB

  • Sample

    240508-rz96msbf92

  • MD5

    150e9ffdac7f2361c2efa735929aa268

  • SHA1

    3ed43e5fb5cd202d91fe31c4a0f8674e5fdb0759

  • SHA256

    d54259b35ece6e39b159317128bfd62f88abbaadd92537379c4bae078e82fe69

  • SHA512

    a56ef522fab3213f2f1d5a15d92615f0a039bf8f8c113e36e38f254b6d58185e5aa0449384d15ac52f1f6ac8d07159ac05d245926fba14ac61462e0911cb39a3

  • SSDEEP

    24576:pMwUwtgszGQgXxHjejMOlF3NdRruHycftxFA:pMwhd0SZlp/YtTA

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub2

Targets

    • Target

      150e9ffdac7f2361c2efa735929aa268.exe

    • Size

      776KB

    • MD5

      150e9ffdac7f2361c2efa735929aa268

    • SHA1

      3ed43e5fb5cd202d91fe31c4a0f8674e5fdb0759

    • SHA256

      d54259b35ece6e39b159317128bfd62f88abbaadd92537379c4bae078e82fe69

    • SHA512

      a56ef522fab3213f2f1d5a15d92615f0a039bf8f8c113e36e38f254b6d58185e5aa0449384d15ac52f1f6ac8d07159ac05d245926fba14ac61462e0911cb39a3

    • SSDEEP

      24576:pMwUwtgszGQgXxHjejMOlF3NdRruHycftxFA:pMwhd0SZlp/YtTA

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks