Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f4bb81b0e4cb01d63191d35b9f534875b83c52fbb6a3e4ce46bd5ad90455d639

  • Size

    322KB

  • Sample

    221102-jkqjpaacb5

  • MD5

    468e03b0d6f647fdcd5b106dc6867ec4

  • SHA1

    170b74af5f578040b50ca88db17433b80069a045

  • SHA256

    f4bb81b0e4cb01d63191d35b9f534875b83c52fbb6a3e4ce46bd5ad90455d639

  • SHA512

    a77db43f5c3bae0bb77ce6805be8ce89b046b46be8555f486f0888c19dc625fe6617f1f8348e89ea004db19cab4f6ea2c5fb25ba4749f9efe8c68b85c4010dcf

  • SSDEEP

    3072:PY82Ki8oFBshc5XTht6jsEnoJGDtkTp8aRhvHuzCQr6VggjcGkNIVqIZ:A82NBmuhLEnoIxa8UOZrC7ITsq4

Malware Config

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Targets

    • Target

      f4bb81b0e4cb01d63191d35b9f534875b83c52fbb6a3e4ce46bd5ad90455d639

    • Size

      322KB

    • MD5

      468e03b0d6f647fdcd5b106dc6867ec4

    • SHA1

      170b74af5f578040b50ca88db17433b80069a045

    • SHA256

      f4bb81b0e4cb01d63191d35b9f534875b83c52fbb6a3e4ce46bd5ad90455d639

    • SHA512

      a77db43f5c3bae0bb77ce6805be8ce89b046b46be8555f486f0888c19dc625fe6617f1f8348e89ea004db19cab4f6ea2c5fb25ba4749f9efe8c68b85c4010dcf

    • SSDEEP

      3072:PY82Ki8oFBshc5XTht6jsEnoJGDtkTp8aRhvHuzCQr6VggjcGkNIVqIZ:A82NBmuhLEnoIxa8UOZrC7ITsq4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks