Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Unlock{Full_Version}.rar

  • Size

    49.1MB

  • Sample

    220911-mbf6fabdf3

  • MD5

    8bc817e68ed54f08f1f259f03dea1adf

  • SHA1

    054d8c22ca1a8ff1f90105fa94ab0822584e8ea6

  • SHA256

    37115878c12ddfa17f6a49d8ff2a9778a5deaa0cbf2de0909bf689410dce1d8f

  • SHA512

    58d82ca1b582b83eff2732287a32ad44b204d2d647d1c9c20010dc8a46d1b29d6fa2c0a7bc91fc8d0b9376c37b9bd2b6e4944d0d726cbef5ff7ec2958963e041

  • SSDEEP

    1572864:5YToMKRcgv7pqAB20gcomSV5wpvwcudOx3J:5YTkRcg1qF0gc9K5wpvdudEJ

Malware Config

Extracted

Family

redline

Botnet

@chaoiiing 17/08/22

C2

92.38.241.94:22922

Attributes
  • auth_value

    72cce26a18d3046167e14710509d2d24

Targets

    • Target

      Unlock{Full_Version}/Setupcanva.exe

    • Size

      750.1MB

    • MD5

      7956afc5b7cdcc25f3afefbe6f60c0ac

    • SHA1

      448f5f12570139a810392009b71b710e5bbf1c64

    • SHA256

      13d88be69d884c2dc3dad8dacb3ca661ff019edd5cd930494531ada0350ff903

    • SHA512

      f334aa41556dc9369c4f8978d410ca2b710e38470b173fe175ce586fa8c9953fbb9e009f98bcf2c5fda988bc4edc2cda1e6686dd1d611d4d504decdec2c1374d

    • SSDEEP

      3072:xekJWGLunDanEw56QyYoIxIDbdRoi4D82r:xRIDanBuPIKDbdRFc8+

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

    • Target

      Unlock{Full_Version}/bin/win32/ffmpegsumo.dll

    • Size

      963KB

    • MD5

      8d6c1353081a166c15ab31ee83906c8e

    • SHA1

      40283ef8b4343553ecf0e6e8aa4170081467bffc

    • SHA256

      564ad57d50ffe96efd0b274a8faf94fe578819405abfc26e2d3d8d092bb465f5

    • SHA512

      2a9737b940d330285c7040cb3e7753f33a4083f0a8a1ec3e487a9ada312f986115ca51a538abe256a735b680a19f410907bf00e2d70638706764bf2a7d52bd04

    • SSDEEP

      12288:shP1NwYxY4gGZF1xdFNT1Ygx+iP/U7Okow2p4mDJbWYmlna7MlPM+fCI1MIx1oU8:s9gkjxdFNT1YC+UEHowA4mdb/AM+3P

    Score
    3/10
    • Target

      Unlock{Full_Version}/bin/win32/libEGL.dll

    • Size

      208KB

    • MD5

      8a2b8adcac38aebaf2db2f7ac9d48739

    • SHA1

      6b167aa777e3cdceab18c04edc7a64afe58a6152

    • SHA256

      fbed115e8c32a137bbdffffa73d5e5ceb5c82441079c6afe471cd94821c7499e

    • SHA512

      dda6f436ec80d5d993a01f73484034f85fc918ac8707989e01eb53c7c13b1c29678e8165d470524de1dafb0c8fd1523d723b3190f89c5f6e35405ea193db3e34

    • SSDEEP

      3072:BXYFqtvMBOpw+py7arltg9hhKJErP+vsAg0FuUJF/AAg0Fuq157R/iNA:BXYSvMBbl7Ufg9hhKJuosAOUTAAOSsA

    Score
    1/10
    • Target

      Unlock{Full_Version}/bin/win32/libGLESv2.dll

    • Size

      1.3MB

    • MD5

      69ac8131eb79ea07cde195d2d27508e6

    • SHA1

      4d59d5fd732b2114ab7b0f96158e234e2fb1237b

    • SHA256

      295f132666cbf1eeea2376e56844257e3c6a9bc3da2ffcfc48e08787343c9569

    • SHA512

      66c9e91d690b634f013d502c3e89989735475dad2c637e77d767c174dbc12dc6df7a855a65830e0d796f7d943229a033af76c70e8c5a7a119a90e8d24b7e2e1c

    • SSDEEP

      24576:347pmYf8rDQTOMYSNQamVEUEj0KwmZkCIOO8r:Pwewj6mCROO

    Score
    1/10
    • Target

      Unlock{Full_Version}/bin/win32/nw.pak

    • Size

      5.5MB

    • MD5

      0d24674943dfff947cefb3e8b90f22fc

    • SHA1

      c21836dfa7fcac7cd756b6499d815906269acdd8

    • SHA256

      0b8e036948dc0e07d41efc71418c1901c7a037b857c6adef0bf0696fb6642634

    • SHA512

      0c7e25901ebd00a619e00a90895bd9c5272e45544a1082789b93d6a912adc188c7cb7ab67f4eb5c4fd06da916e2709c6c18005e5ebda9cb778a471196784635e

    • SSDEEP

      49152:6F6PwseuK3oSVvolWJAv5SfAo2G40FH7FSpXPWav2TU5cCI8IL/s1mF4//V1liwB:JVSfAL9vkWGGG2pLTuN6

    Score
    1/10
    • Target

      Unlock{Full_Version}/bin/win64/ffmpegsumo.dll

    • Size

      991KB

    • MD5

      83d7e2b05e7fab09258f6763154ce1a2

    • SHA1

      bd80808b0a5b1e32cad270506ca89653a081f3a7

    • SHA256

      f0c4ff613908c0a7b6d3c893984bbd8d63ae21de32d01b45a706667aacff43c6

    • SHA512

      e15524a791118310745645f15c23cd6f8d004c946eb1d3aaea6ab4c4a1300762dad354d374b3bcd029fd30e9fcc54743ae8b4ccb76c7a26b92905de808c83302

    • SSDEEP

      24576:Ms58Z15Ngksc9s0a8wTMMwhmSAzL7aGZELDKPPTykTCO76:MQ2Zgksc9s0aBTMWCO

    Score
    3/10
    • Target

      Unlock{Full_Version}/bin/win64/libEGL.dll

    • Size

      203KB

    • MD5

      fee39269772633d85ad1ebf4d93611b3

    • SHA1

      915f067094dd1dd3dbe42f3acb53a8becb81b151

    • SHA256

      a974a768c54395a1f00ca5a690c86732ff82f82eec26faa3c4c87cd5322d513d

    • SHA512

      6dc1a70a86d4a3326c2fd8b0775312688c2cfeab7d16d6c4fabc3f6c6c4c0adf715369ac91691b23ed1a741953914b6739b2b050ee428ae963c3aa64c2aab00a

    • SSDEEP

      3072:K3yiHbZ85o+aolTx7H1TQOyRq3uBuUEj+0Y026O+bfEa:AHt87aolT9ahRq+IjZb8

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Unlock{Full_Version}/bin/win64/libGLESv2.dll

    • Size

      1.6MB

    • MD5

      4314884d92572407e1af1ff1506685df

    • SHA1

      d6f616f0fc3aacc634375ad47a7b32a7ca96fb94

    • SHA256

      6279f0d902e3c9efeff5300eac138c7f2feb15bf4c0ac7297474ed80002aab42

    • SHA512

      ac22e5a97a82c1795c8930068d0abaec2260cf91f9fdd7b01114df40041e204e4555efe2ec627c4d534e699fdd130ee0966f8ef2567f366364b385aeed458878

    • SSDEEP

      49152:TR1FwEMvZmfYItCrDMw8KUD4KMX9+Kw31:hwLZmfYqsDv8KN+

    Score
    1/10
    • Target

      Unlock{Full_Version}/bin/win64/nw.pak

    • Size

      5.5MB

    • MD5

      0b269e79caf87c9a46ae8c139fa66ff9

    • SHA1

      46dea2d9024a44289565588caa50d223fd140d4a

    • SHA256

      b93f146a82d39e06db62d4d52ff9629c4e380f81b119049e473516babe9bb338

    • SHA512

      c9d6e1e4bf3ce37186d531c70102ca1813b2387e40ad3804b3ad133c8aebe7eb56a2dd4ea02fa2cbbcfd754ece3ae993bbe54273dd6778999d221bc4f9fc1404

    • SSDEEP

      49152:9F6PwseuK3oSVvolWJAv5SfAo2G40FH7FSpXPWav2TU5cCI8IL/s1mF4//V1liwc:SVSfAL9vkWGGG2pLTuM6

    Score
    7/10
    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

MITRE ATT&CK Enterprise v6

Tasks