Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe

  • Size

    445KB

  • Sample

    221025-g67zrabgbm

  • MD5

    9ee68713f2a7cffe160e3fc1b446f61e

  • SHA1

    1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab

  • SHA256

    49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

  • SHA512

    bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717

  • SSDEEP

    6144:AnKmSDahq196R5aa7OuWigFV5zGlPAMTZSNiicyB7wbtLd4Fr351azS/PIAOr/Tu:FDL6Pv6zrzGlIMTZ+6taB3LazwPIV90

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    ea069d64c780fc5379eeb0792909ac77

Extracted

Family

vidar

Version

55.2

Botnet

1707

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes
  • profile_id

    1707

Targets

    • Target

      49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe

    • Size

      445KB

    • MD5

      9ee68713f2a7cffe160e3fc1b446f61e

    • SHA1

      1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab

    • SHA256

      49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

    • SHA512

      bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717

    • SSDEEP

      6144:AnKmSDahq196R5aa7OuWigFV5zGlPAMTZSNiicyB7wbtLd4Fr351azS/PIAOr/Tu:FDL6Pv6zrzGlIMTZ+6taB3LazwPIV90

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks