Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

  • Size

    235KB

  • Sample

    221230-17hk2abh9s

  • MD5

    5e445faf7b08cf2ffcac7b38c5d70d5d

  • SHA1

    877098531fb4049581a7c81353fc3c7d7dd2083a

  • SHA256

    4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

  • SHA512

    9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

  • SSDEEP

    6144:IkwjBO99g6779r0psUhmiIuVyD2NgCJgN:1TrOh2uVyCNnS

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.91/8kcnjd3da3/index.php

Extracted

Family

redline

Botnet

letgo

C2

80.66.87.13:22346

Attributes
  • auth_value

    9a4217b7e3f4309698e5e6d932e3545e

Targets

    • Target

      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

    • Size

      235KB

    • MD5

      5e445faf7b08cf2ffcac7b38c5d70d5d

    • SHA1

      877098531fb4049581a7c81353fc3c7d7dd2083a

    • SHA256

      4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4

    • SHA512

      9874b8605aafcf7bd46754c2aa0bfbd3e7c14ad0b0791b9d016d828666c4183bc9786390697d6aeaf17d13f1cf615b023c78cff20db35f508d525e15e1e3ae31

    • SSDEEP

      6144:IkwjBO99g6779r0psUhmiIuVyD2NgCJgN:1TrOh2uVyCNnS

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks