Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3f9a5a10a9cd9b9ef41da2c543c2f11b44beac341e7f55c00142f55c1570e1d3

  • Size

    286KB

  • Sample

    221030-ndwjkshdhq

  • MD5

    143c85d79d3f859120b69fbd22bf73d0

  • SHA1

    23c4c187b99af027c3ff9eb8e8f5498096a83922

  • SHA256

    3f9a5a10a9cd9b9ef41da2c543c2f11b44beac341e7f55c00142f55c1570e1d3

  • SHA512

    08e2b665a1bec4483703cd8e2ce1c20eced0e1e68d6e89150881d3d2743ff5eea19ea217553ca9b8a8aab7b4eac735352d470c6a22577818d55ede9df93711a1

  • SSDEEP

    3072:dCGzz3UcvDLCTcKS9d5/Fj0u2SHWWxDb2oXhZj0tbbj69RaVEa0JM/h3:fUcvDLCTcKSFF0snDfXhZj0ZO9oEaO

Malware Config

Extracted

Family

redline

Botnet

slovarik15btc

C2

78.153.144.3:2510

Attributes
  • auth_value

    bfedad55292538ad3edd07ac95ad8952

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Extracted

Family

redline

Botnet

High

C2

80.66.87.20:80

Attributes
  • auth_value

    e5a19803f83e644a0008c2114f6c607e

Targets

    • Target

      3f9a5a10a9cd9b9ef41da2c543c2f11b44beac341e7f55c00142f55c1570e1d3

    • Size

      286KB

    • MD5

      143c85d79d3f859120b69fbd22bf73d0

    • SHA1

      23c4c187b99af027c3ff9eb8e8f5498096a83922

    • SHA256

      3f9a5a10a9cd9b9ef41da2c543c2f11b44beac341e7f55c00142f55c1570e1d3

    • SHA512

      08e2b665a1bec4483703cd8e2ce1c20eced0e1e68d6e89150881d3d2743ff5eea19ea217553ca9b8a8aab7b4eac735352d470c6a22577818d55ede9df93711a1

    • SSDEEP

      3072:dCGzz3UcvDLCTcKS9d5/Fj0u2SHWWxDb2oXhZj0tbbj69RaVEa0JM/h3:fUcvDLCTcKSFF0snDfXhZj0ZO9oEaO

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks