Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

  • Size

    286KB

  • Sample

    221030-vtm1psbdg7

  • MD5

    1fc67595c2e6b55d456b9cd090ece64d

  • SHA1

    d714d38984725324da6f222b09b1c4111656cc6f

  • SHA256

    514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

  • SHA512

    21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876

  • SSDEEP

    3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    reanimedia.ru
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    A2307D2012phpv1

Extracted

Credentials

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    der-beyer-clan.de
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    008292

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    leroyairport.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    1028102868123456123!!

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    lineartec.de
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Juhu4711#

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    der-beyer-clan.de
  • Port:
    21
  • Username:
    marc
  • Password:
    008292

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    lineartec.de
  • Port:
    21
  • Username:
    mlinaric
  • Password:
    Juhu4711#

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    leroyairport.com
  • Port:
    21
  • Username:
    postmaster
  • Password:
    1028102868123456123!!

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    der-beyer-clan.de
  • Port:
    21
  • Username:
    admin
  • Password:
    008292

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    lineartec.de
  • Port:
    21
  • Username:
    admin
  • Password:
    Juhu4711#

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    leroyairport.com
  • Port:
    21
  • Username:
    admin
  • Password:
    1028102868123456123!!

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    reanimedia.ru
  • Port:
    21
  • Username:
    shevchenko
  • Password:
    A2307D2012phpv1

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    reanimedia.ru
  • Port:
    21
  • Username:
    admin
  • Password:
    A2307D2012phpv1

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Extracted

Family

vidar

Version

55.3

Botnet

1767

C2

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes
  • profile_id

    1767

Targets

    • Target

      514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

    • Size

      286KB

    • MD5

      1fc67595c2e6b55d456b9cd090ece64d

    • SHA1

      d714d38984725324da6f222b09b1c4111656cc6f

    • SHA256

      514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420

    • SHA512

      21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876

    • SSDEEP

      3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks