Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33

  • Size

    310KB

  • Sample

    221107-cfzhgaegcm

  • MD5

    b0711fde98fc86bcd420e05b83bb2917

  • SHA1

    7934c7f04b9327038a0be3d7055e3e1890eddcfb

  • SHA256

    dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33

  • SHA512

    ef9257df297a7c00e8016fac4dc091b996489b3b1f7bd6e9667193d0d14225d3ab7865cfbbdac2624a685c6ca8cbc6faa7bb0c22d9b2dd8a6040397fafe8c16a

  • SSDEEP

    3072:5pdkSn9ikW+5re1qs2WD/dfGXp4+xJqcu4wIzAVZPOfnlTtXDwB8EN:eSnS0ST2WDcU4PfnlTtXDK5N

Malware Config

Extracted

Family

redline

Botnet

Google2

C2

167.235.71.14:20469

Attributes
  • auth_value

    fb274d9691235ba015830da570a13578

Targets

    • Target

      dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33

    • Size

      310KB

    • MD5

      b0711fde98fc86bcd420e05b83bb2917

    • SHA1

      7934c7f04b9327038a0be3d7055e3e1890eddcfb

    • SHA256

      dba812d730d390e0bb94cd4eda8726a5b4634c706a836184bb45448c610e2b33

    • SHA512

      ef9257df297a7c00e8016fac4dc091b996489b3b1f7bd6e9667193d0d14225d3ab7865cfbbdac2624a685c6ca8cbc6faa7bb0c22d9b2dd8a6040397fafe8c16a

    • SSDEEP

      3072:5pdkSn9ikW+5re1qs2WD/dfGXp4+xJqcu4wIzAVZPOfnlTtXDwB8EN:eSnS0ST2WDcU4PfnlTtXDK5N

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks