Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee

  • Size

    521KB

  • Sample

    230209-slr9cahb47

  • MD5

    53236376f543544913184e5fcddd85c8

  • SHA1

    1a70d9d5fc8fa615053ddeeb86110db38d626855

  • SHA256

    76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee

  • SHA512

    8a9d1296189e09daf276d0ce9d1f9778ebfa7c3fbb85ac9c0e77f2b0a5369ebec756cdecaef84858e8bd7b6984f6ed45bee7561dca1c013819f2cabefd52ba22

  • SSDEEP

    12288:uMrey90ZiUf7gyppL2iv1EQLsjal2nYUOqR9xeoac:0yrUfsypp/v1VgjW3HqR2Jc

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

62.204.41.88/9vdVVVjsw/index.php

Extracted

Family

redline

Botnet

fuka

C2

193.233.20.11:4131

Attributes
  • auth_value

    90eef520554ef188793d77ecc34217bf

Extracted

Family

redline

Botnet

clean

C2

185.254.37.212:80

Attributes
  • auth_value

    5ff69ff01ad671e755bfff05fc9140f1

Extracted

Family

redline

Botnet

dubna

C2

193.233.20.11:4131

Attributes
  • auth_value

    f324b1269094b7462e56bab025f032f4

Extracted

Family

redline

Botnet

nocrypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    4fc7cda1ab5883a6197f20f517ce2a8c

Extracted

Family

redline

Botnet

Hacks

C2

138.128.243.83:30774

Attributes
  • auth_value

    d93c40a3415afd4a4c015776bbedd16a

Extracted

Family

redline

Botnet

romka

C2

193.233.20.11:4131

Attributes
  • auth_value

    fcbb3247051f5290e8ac5b1a841af67b

Extracted

Family

redline

Botnet

crypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    407e05c9b3a74d99a20f90b091547bd6

Targets

    • Target

      76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee

    • Size

      521KB

    • MD5

      53236376f543544913184e5fcddd85c8

    • SHA1

      1a70d9d5fc8fa615053ddeeb86110db38d626855

    • SHA256

      76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee

    • SHA512

      8a9d1296189e09daf276d0ce9d1f9778ebfa7c3fbb85ac9c0e77f2b0a5369ebec756cdecaef84858e8bd7b6984f6ed45bee7561dca1c013819f2cabefd52ba22

    • SSDEEP

      12288:uMrey90ZiUf7gyppL2iv1EQLsjal2nYUOqR9xeoac:0yrUfsypp/v1VgjW3HqR2Jc

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks