Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee
-
Size
521KB
-
Sample
230209-slr9cahb47
-
MD5
53236376f543544913184e5fcddd85c8
-
SHA1
1a70d9d5fc8fa615053ddeeb86110db38d626855
-
SHA256
76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee
-
SHA512
8a9d1296189e09daf276d0ce9d1f9778ebfa7c3fbb85ac9c0e77f2b0a5369ebec756cdecaef84858e8bd7b6984f6ed45bee7561dca1c013819f2cabefd52ba22
-
SSDEEP
12288:uMrey90ZiUf7gyppL2iv1EQLsjal2nYUOqR9xeoac:0yrUfsypp/v1VgjW3HqR2Jc
Static task
static1
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
62.204.41.88/9vdVVVjsw/index.php
Extracted
redline
fuka
193.233.20.11:4131
-
auth_value
90eef520554ef188793d77ecc34217bf
Extracted
redline
clean
185.254.37.212:80
-
auth_value
5ff69ff01ad671e755bfff05fc9140f1
Extracted
redline
dubna
193.233.20.11:4131
-
auth_value
f324b1269094b7462e56bab025f032f4
Extracted
redline
nocrypt
176.113.115.17:4132
-
auth_value
4fc7cda1ab5883a6197f20f517ce2a8c
Extracted
redline
Hacks
138.128.243.83:30774
-
auth_value
d93c40a3415afd4a4c015776bbedd16a
Extracted
redline
romka
193.233.20.11:4131
-
auth_value
fcbb3247051f5290e8ac5b1a841af67b
Extracted
redline
crypt
176.113.115.17:4132
-
auth_value
407e05c9b3a74d99a20f90b091547bd6
Targets
-
-
Target
76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee
-
Size
521KB
-
MD5
53236376f543544913184e5fcddd85c8
-
SHA1
1a70d9d5fc8fa615053ddeeb86110db38d626855
-
SHA256
76d97e726cf19a93f487ce275ba34ec1d90b0971797eb170304ad5522e646cee
-
SHA512
8a9d1296189e09daf276d0ce9d1f9778ebfa7c3fbb85ac9c0e77f2b0a5369ebec756cdecaef84858e8bd7b6984f6ed45bee7561dca1c013819f2cabefd52ba22
-
SSDEEP
12288:uMrey90ZiUf7gyppL2iv1EQLsjal2nYUOqR9xeoac:0yrUfsypp/v1VgjW3HqR2Jc
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-