Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

  • Size

    225KB

  • Sample

    221218-17n3tagg7s

  • MD5

    6a59c469713da7bb9abc4b8f2e8ac6da

  • SHA1

    e87a23b50b3f3a41c50d62e558153d3a3010a02b

  • SHA256

    3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

  • SHA512

    16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

  • SSDEEP

    3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

Malware Config

Extracted

Family

amadey

Version

3.60

C2

193.42.33.28/game0ver/index.php

Extracted

Family

aurora

C2

45.144.30.146:8081

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err

Extracted

Family

redline

Botnet

installs1

C2

89.23.96.2:7253

Attributes
  • auth_value

    fb538922d8f77f00fb6c39f8066af176

Extracted

Family

redline

Botnet

installs

C2

89.23.96.2:7253

Attributes
  • auth_value

    8d4428f372143572364f044ea9649d7f

Extracted

Family

amadey

Version

3.10

C2

hellomr.observer/f8dfksdj3/index.php

researchersgokick.rocks/f8dfksdj3/index.php

pleasetake.pictures/f8dfksdj3/index.php

Targets

    • Target

      3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

    • Size

      225KB

    • MD5

      6a59c469713da7bb9abc4b8f2e8ac6da

    • SHA1

      e87a23b50b3f3a41c50d62e558153d3a3010a02b

    • SHA256

      3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

    • SHA512

      16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

    • SSDEEP

      3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks