Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    89458108aa7bf24a3610b1038af4dbd3.exe

  • Size

    514KB

  • Sample

    230203-p6c4dafd56

  • MD5

    89458108aa7bf24a3610b1038af4dbd3

  • SHA1

    96986ce94f2a2adc2d6d200bb19cf60a6a41dd0d

  • SHA256

    4c71088d4df1a7c43f0d563634305a8ddce0ebaebaf2df7bcb4d972c55d91267

  • SHA512

    833d20cf1b861a46b42b4414ae3942d1007129140ce41a7c3812a6f2fe4027e98b882e052f302405e451bacba9d5ef79ab9b920a31e8366b5114b71947b14afe

  • SSDEEP

    12288:SH8ugFatNmS4mEhDxRQEpuBO+XDKi3he8KXf/g3GwF:ScRmp4mEx7SX0Q3Gw

Malware Config

Extracted

Family

redline

Botnet

redko

C2

62.204.41.170:4179

Attributes
  • auth_value

    9bcf7b0620ff067017d66b9a5d80b547

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

mixo

C2

176.113.115.16:4122

Attributes
  • auth_value

    f8c6749529d254a59e80682dd4ba63f6

Targets

    • Target

      89458108aa7bf24a3610b1038af4dbd3.exe

    • Size

      514KB

    • MD5

      89458108aa7bf24a3610b1038af4dbd3

    • SHA1

      96986ce94f2a2adc2d6d200bb19cf60a6a41dd0d

    • SHA256

      4c71088d4df1a7c43f0d563634305a8ddce0ebaebaf2df7bcb4d972c55d91267

    • SHA512

      833d20cf1b861a46b42b4414ae3942d1007129140ce41a7c3812a6f2fe4027e98b882e052f302405e451bacba9d5ef79ab9b920a31e8366b5114b71947b14afe

    • SSDEEP

      12288:SH8ugFatNmS4mEhDxRQEpuBO+XDKi3he8KXf/g3GwF:ScRmp4mEx7SX0Q3Gw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks