Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a6b354a0f54fee9934cb0a5233ee708e.exe

  • Size

    274KB

  • Sample

    221220-m1nxkshd22

  • MD5

    a6b354a0f54fee9934cb0a5233ee708e

  • SHA1

    2c7091dcba19168be529c0a5873effb5b6b34d07

  • SHA256

    fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13

  • SHA512

    6f9815460452e41bcb3dd24a9a0867f010f60130ae16479ec371f728364a2a2547a49605ef3121bf356974d350ccba7f0753d7a1b1c4106dfc305ab350fb076b

  • SSDEEP

    6144:cmazLKDg7dSlhUxUAjrGPkjylT8ZE3y6/Ukl3Y9Z8Ca:cmEmDgBNxJj6EylTGSR3u0

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.79/tT7774433/index.php

Extracted

Family

amadey

Version

3.60

C2

62.204.41.13/gjend7w/index.php

Extracted

Family

redline

Botnet

nokia

C2

31.41.244.198:4083

Attributes
  • auth_value

    3b38e056d594ae0cf1368e6e1daa3a4e

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/wduwe19/

Extracted

Family

redline

Botnet

Pto100TraF333

C2

82.115.223.15:15486

Attributes
  • auth_value

    d4c53e9109a4b130f5246d494cd30e4d

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Targets

    • Target

      a6b354a0f54fee9934cb0a5233ee708e.exe

    • Size

      274KB

    • MD5

      a6b354a0f54fee9934cb0a5233ee708e

    • SHA1

      2c7091dcba19168be529c0a5873effb5b6b34d07

    • SHA256

      fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13

    • SHA512

      6f9815460452e41bcb3dd24a9a0867f010f60130ae16479ec371f728364a2a2547a49605ef3121bf356974d350ccba7f0753d7a1b1c4106dfc305ab350fb076b

    • SSDEEP

      6144:cmazLKDg7dSlhUxUAjrGPkjylT8ZE3y6/Ukl3Y9Z8Ca:cmEmDgBNxJj6EylTGSR3u0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks