Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    526KB

  • Sample

    230206-fb9dnacb32

  • MD5

    a7d620c6e36415dcc4b190c5be2d42e5

  • SHA1

    fd70707289291cfdd41ce83292115c6ac37a7ad1

  • SHA256

    fbba3230c8bf66a3117bcc4140e960b59a2d66e84b6bc7e53419fd11144a9a3d

  • SHA512

    217ccd2a767f13c6dcffd579dc2cef54389f3e9886737843fc4d26b5e85a44559bca607611f428648591682549915d537ec72d14a66ff2c218d8d4c6500c2d2f

  • SSDEEP

    12288:rMrsy90YkUwny/RDoPCU44Wtd+4GlMRrDKn98Q0bOyb:by480CdbtsnlMJDDlb

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Extracted

Family

redline

Botnet

muzh

C2

62.204.41.170:4172

Attributes
  • auth_value

    ecaea4032f3e80f94da55d8e70a97db0

Extracted

Family

redline

Botnet

ringo

C2

176.113.115.16:4122

Attributes
  • auth_value

    b8f864b25d84b5ed5591e4bfa647cdbe

Extracted

Family

redline

Botnet

zaur

C2

62.204.41.170:4172

Attributes
  • auth_value

    8f24dad16e6d64e3d692e48d05640734

Extracted

Family

redline

Botnet

ringo1

C2

176.113.115.16:4122

Attributes
  • auth_value

    373b070fb57b7689445f097000cbd6c2

Extracted

Family

redline

Botnet

temposs6678

C2

82.115.223.9:15486

Attributes
  • auth_value

    af399e6a2fe66f67025541cf71c64313

Targets

    • Target

      file.exe

    • Size

      526KB

    • MD5

      a7d620c6e36415dcc4b190c5be2d42e5

    • SHA1

      fd70707289291cfdd41ce83292115c6ac37a7ad1

    • SHA256

      fbba3230c8bf66a3117bcc4140e960b59a2d66e84b6bc7e53419fd11144a9a3d

    • SHA512

      217ccd2a767f13c6dcffd579dc2cef54389f3e9886737843fc4d26b5e85a44559bca607611f428648591682549915d537ec72d14a66ff2c218d8d4c6500c2d2f

    • SSDEEP

      12288:rMrsy90YkUwny/RDoPCU44Wtd+4GlMRrDKn98Q0bOyb:by480CdbtsnlMJDDlb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect rhadamanthys stealer shellcode

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks