Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14

  • Size

    2.4MB

  • Sample

    221101-k4pbeababr

  • MD5

    c1fe936433eb4be74eef3e7095f42d77

  • SHA1

    b997230735a2a033647425441f908cb906047523

  • SHA256

    409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14

  • SHA512

    e33c1fec65c97cd2c5dabeb460ef83e2102201d9d9cf1c2789b7dfa65e2bb6063b927612a7bfc7eff234fc70ee14802af4fe134b8abeb00c4f6fea2adda8e7a6

  • SSDEEP

    24576:cBqYYgYPXQh8RMpJRh9dM46/uN9X5koyLSAOtSL2SxgCl3RuQ55313V:cBmsIoyLSAOtSll3T

Malware Config

Extracted

Family

redline

Botnet

@mnogokupurbolshoykarman

C2

77.73.134.24:80

Attributes
  • auth_value

    b555cfd27c33c447be45d0969d5f35d8

Targets

    • Target

      409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14

    • Size

      2.4MB

    • MD5

      c1fe936433eb4be74eef3e7095f42d77

    • SHA1

      b997230735a2a033647425441f908cb906047523

    • SHA256

      409cd2191cd5207704f590ca05b3ecd94bfe086f09c4aa87422e4126f04cab14

    • SHA512

      e33c1fec65c97cd2c5dabeb460ef83e2102201d9d9cf1c2789b7dfa65e2bb6063b927612a7bfc7eff234fc70ee14802af4fe134b8abeb00c4f6fea2adda8e7a6

    • SSDEEP

      24576:cBqYYgYPXQh8RMpJRh9dM46/uN9X5koyLSAOtSL2SxgCl3RuQ55313V:cBmsIoyLSAOtSll3T

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks