Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    783KB

  • Sample

    230210-mkyrvabc43

  • MD5

    806d990edc91fe7cb95ea2e6b86e3533

  • SHA1

    540b81b1a4375d9658bf3cd9d0af15ba790ec15b

  • SHA256

    77bc01a4eede5bca41a64a18e338570895b9989d7fa21ae94c8998e7e1ff3fa9

  • SHA512

    c2296bf0d9502d5cc17380a9822c48e9960c2a982b6e25fd58f5be9eb0bb3417e253e6ad5412b72fa0c190d11891a8613048518fc41fff988a209ef54dfbb934

  • SSDEEP

    12288:QMrqy902iD5s9DZThWA3E83N8ClrHamLikFF7HMlqwDL6ztBgEtN:qy+D5s99FWAzdlr93S5cgED

Malware Config

Extracted

Family

redline

Botnet

dubna

C2

193.233.20.11:4131

Attributes
  • auth_value

    f324b1269094b7462e56bab025f032f4

Extracted

Family

redline

Botnet

romka

C2

193.233.20.11:4131

Attributes
  • auth_value

    fcbb3247051f5290e8ac5b1a841af67b

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Targets

    • Target

      file.exe

    • Size

      783KB

    • MD5

      806d990edc91fe7cb95ea2e6b86e3533

    • SHA1

      540b81b1a4375d9658bf3cd9d0af15ba790ec15b

    • SHA256

      77bc01a4eede5bca41a64a18e338570895b9989d7fa21ae94c8998e7e1ff3fa9

    • SHA512

      c2296bf0d9502d5cc17380a9822c48e9960c2a982b6e25fd58f5be9eb0bb3417e253e6ad5412b72fa0c190d11891a8613048518fc41fff988a209ef54dfbb934

    • SSDEEP

      12288:QMrqy902iD5s9DZThWA3E83N8ClrHamLikFF7HMlqwDL6ztBgEtN:qy+D5s99FWAzdlr93S5cgED

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks