Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    946KB

  • Sample

    230216-1d6qrscb82

  • MD5

    cfb166ae6f00d8042f03575ed20e1f85

  • SHA1

    63b5b37f3f1f6c21a72c5708f50bd263a91ae4ba

  • SHA256

    044e087d3d68f3451b4748859e1383e8b0eaa455f00295ebd0d611080b863c3a

  • SHA512

    0abb7041418a01c1339fd33ecedb455ba4b5530e22699d097cbade5c93c6fd03a7500512b52b7de150cb04c97bf6609fdf9685841758f4a2eba5f637675039ff

  • SSDEEP

    24576:yyPmqxUtYjkCMZRJGW5Hs0S0n9ACLidv9:ZeqxNkdL5sZ0OCud

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5a9421183a033f283b2f23139b471f0

Extracted

Family

redline

Botnet

ruma

C2

193.233.20.13:4136

Attributes
  • auth_value

    647d00dfaba082a4a30f383bca5d1a2a

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Extracted

Family

redline

Botnet

ck

C2

176.113.115.17:4132

Attributes
  • auth_value

    7ac4424f89748eae7f5c6a4756d89c28

Targets

    • Target

      file.exe

    • Size

      946KB

    • MD5

      cfb166ae6f00d8042f03575ed20e1f85

    • SHA1

      63b5b37f3f1f6c21a72c5708f50bd263a91ae4ba

    • SHA256

      044e087d3d68f3451b4748859e1383e8b0eaa455f00295ebd0d611080b863c3a

    • SHA512

      0abb7041418a01c1339fd33ecedb455ba4b5530e22699d097cbade5c93c6fd03a7500512b52b7de150cb04c97bf6609fdf9685841758f4a2eba5f637675039ff

    • SSDEEP

      24576:yyPmqxUtYjkCMZRJGW5Hs0S0n9ACLidv9:ZeqxNkdL5sZ0OCud

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks