Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    526KB

  • Sample

    230206-fb9dnacb32

  • MD5

    a7d620c6e36415dcc4b190c5be2d42e5

  • SHA1

    fd70707289291cfdd41ce83292115c6ac37a7ad1

  • SHA256

    fbba3230c8bf66a3117bcc4140e960b59a2d66e84b6bc7e53419fd11144a9a3d

  • SHA512

    217ccd2a767f13c6dcffd579dc2cef54389f3e9886737843fc4d26b5e85a44559bca607611f428648591682549915d537ec72d14a66ff2c218d8d4c6500c2d2f

  • SSDEEP

    12288:rMrsy90YkUwny/RDoPCU44Wtd+4GlMRrDKn98Q0bOyb:by480CdbtsnlMJDDlb

Score
10/10
amadeyredlinerhadamanthysmuzhringoringo1temposs6678zaurdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Extracted

Family

redline

Botnet

muzh

C2

62.204.41.170:4172

Attributes
  • auth_value

    ecaea4032f3e80f94da55d8e70a97db0

Extracted

Family

redline

Botnet

ringo

C2

176.113.115.16:4122

Attributes
  • auth_value

    b8f864b25d84b5ed5591e4bfa647cdbe

Extracted

Family

redline

Botnet

zaur

C2

62.204.41.170:4172

Attributes
  • auth_value

    8f24dad16e6d64e3d692e48d05640734

Extracted

Family

redline

Botnet

ringo1

C2

176.113.115.16:4122

Attributes
  • auth_value

    373b070fb57b7689445f097000cbd6c2

Extracted

Family

redline

Botnet

temposs6678

C2

82.115.223.9:15486

Attributes
  • auth_value

    af399e6a2fe66f67025541cf71c64313

Targets

    • Target

      file.exe

    • Size

      526KB

    • MD5

      a7d620c6e36415dcc4b190c5be2d42e5

    • SHA1

      fd70707289291cfdd41ce83292115c6ac37a7ad1

    • SHA256

      fbba3230c8bf66a3117bcc4140e960b59a2d66e84b6bc7e53419fd11144a9a3d

    • SHA512

      217ccd2a767f13c6dcffd579dc2cef54389f3e9886737843fc4d26b5e85a44559bca607611f428648591682549915d537ec72d14a66ff2c218d8d4c6500c2d2f

    • SSDEEP

      12288:rMrsy90YkUwny/RDoPCU44Wtd+4GlMRrDKn98Q0bOyb:by480CdbtsnlMJDDlb

    Score
    10/10
    amadeyredlinerhadamanthysmuzhringoringo1temposs6678zaurdiscoveryevasioninfostealerpersistencespywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect rhadamanthys stealer shellcode

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks