Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
-
Size
286KB
-
Sample
221030-vtm1psbdg7
-
MD5
1fc67595c2e6b55d456b9cd090ece64d
-
SHA1
d714d38984725324da6f222b09b1c4111656cc6f
-
SHA256
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
-
SHA512
21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876
-
SSDEEP
3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq
Static task
static1
Behavioral task
behavioral1
Sample
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: ftp- Host:
reanimedia.ru - Port:
21 - Username:
[email protected] - Password:
A2307D2012phpv1
Extracted
Protocol: ftp- Host:
pasco.nl - Port:
21 - Username:
[email protected] - Password:
D040
Extracted
Protocol: ftp- Host:
der-beyer-clan.de - Port:
21 - Username:
[email protected] - Password:
008292
Extracted
Protocol: ftp- Host:
leroyairport.com - Port:
21 - Username:
[email protected] - Password:
1028102868123456123!!
Extracted
Protocol: ftp- Host:
lineartec.de - Port:
21 - Username:
[email protected] - Password:
Juhu4711#
Extracted
Protocol: ftp- Host:
der-beyer-clan.de - Port:
21 - Username:
marc - Password:
008292
Extracted
Protocol: ftp- Host:
lineartec.de - Port:
21 - Username:
mlinaric - Password:
Juhu4711#
Extracted
Protocol: ftp- Host:
leroyairport.com - Port:
21 - Username:
postmaster - Password:
1028102868123456123!!
Extracted
Protocol: ftp- Host:
der-beyer-clan.de - Port:
21 - Username:
admin - Password:
008292
Extracted
Protocol: ftp- Host:
lineartec.de - Port:
21 - Username:
admin - Password:
Juhu4711#
Extracted
Protocol: ftp- Host:
leroyairport.com - Port:
21 - Username:
admin - Password:
1028102868123456123!!
Extracted
Protocol: ftp- Host:
reanimedia.ru - Port:
21 - Username:
shevchenko - Password:
A2307D2012phpv1
Extracted
Protocol: ftp- Host:
reanimedia.ru - Port:
21 - Username:
admin - Password:
A2307D2012phpv1
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Extracted
vidar
55.3
1767
https://t.me/slivetalks
https://c.im/@xinibin420
-
profile_id
1767
Targets
-
-
Target
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
-
Size
286KB
-
MD5
1fc67595c2e6b55d456b9cd090ece64d
-
SHA1
d714d38984725324da6f222b09b1c4111656cc6f
-
SHA256
514e6febf5ebb158e2cbbd8b55669cb4373653398b120f302fa7fcda89525420
-
SHA512
21a987ea2cfa83a44726e3648b146e0b041b6a25ba4386356cfca614ab7e6af2f1da0b928a94da6dbea6c77188db719142ceb73f06329abb2987726b7fdca876
-
SSDEEP
3072:cSlKU2WLcay9XLa/5eeRCEeg/lKtTb6I8zxNToycoGMWGVggjcGkNIVqI:YU2WLny9XOXsGlOn6ZjTo9od7ITsq
-
Detects Smokeloader packer
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-