Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    344KB

  • Sample

    221122-natwksbb42

  • MD5

    75ccd08a0c97ace8136fdb7f8e9595f0

  • SHA1

    0f1a820b10915798e0b4026695fa484f8a44c888

  • SHA256

    707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

  • SHA512

    d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

  • SSDEEP

    6144:bK3E/11JKDVqjPtkbSZdRc40hc7oZ22tThsIeGjY6x:R/j0mFYSelhMm22ZVEM

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

novr

C2

31.41.244.14:4694

Attributes
  • auth_value

    34ddf4eb9326256f20a48cd5f1e9b496

Targets

    • Target

      file.exe

    • Size

      344KB

    • MD5

      75ccd08a0c97ace8136fdb7f8e9595f0

    • SHA1

      0f1a820b10915798e0b4026695fa484f8a44c888

    • SHA256

      707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

    • SHA512

      d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

    • SSDEEP

      6144:bK3E/11JKDVqjPtkbSZdRc40hc7oZ22tThsIeGjY6x:R/j0mFYSelhMm22ZVEM

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks