Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c

  • Size

    134KB

  • Sample

    221002-q1pewshcd4

  • MD5

    0d90cd2b626eb1e2173e0a1fc07fd113

  • SHA1

    fbb00ad8ad06bc9286f2e49dca4d5bf1080cc23e

  • SHA256

    8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c

  • SHA512

    4079a57b686fe5162c8cafa969469d3879196800245bc6d5f70c92d0cb8c68ca95f863debee4845a713c65c1cc94ccaab4fa32d89711fb2cc64e36b65cd3f775

  • SSDEEP

    3072:F3i2EnRIZK6Su/IhB2lYAuqSoUWBSxRwge4Xfn/per:Bkw/Ij2YlqQWBEQ4f/pe

Malware Config

Extracted

Family

redline

C2

80.66.87.22:80

80.66.87.13:80

Attributes
  • auth_value

    5b663effac3b92fe687f0181631eeff2

Targets

    • Target

      8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c

    • Size

      134KB

    • MD5

      0d90cd2b626eb1e2173e0a1fc07fd113

    • SHA1

      fbb00ad8ad06bc9286f2e49dca4d5bf1080cc23e

    • SHA256

      8862f70691d3e4fd9993c7bec511b4829403f15fba9b7999708edc372da0103c

    • SHA512

      4079a57b686fe5162c8cafa969469d3879196800245bc6d5f70c92d0cb8c68ca95f863debee4845a713c65c1cc94ccaab4fa32d89711fb2cc64e36b65cd3f775

    • SSDEEP

      3072:F3i2EnRIZK6Su/IhB2lYAuqSoUWBSxRwge4Xfn/per:Bkw/Ij2YlqQWBEQ4f/pe

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks