Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    726KB

  • Sample

    230216-jw4wfsgc4z

  • MD5

    648c0245ab28c9e2fdd0f4fd590741f4

  • SHA1

    db4ab2d22ae0fa7e684a6fe160a86e969f67534b

  • SHA256

    c3d4fe6b0be7239579f2c4e9fa10339eb359890766ac9c7d492d3b33a7e7dc75

  • SHA512

    8c000054fbdec3cfb331b19fba73f7d0f5eb424f27649928191213947852bf65e8d6b87a9301411cd102295fbd756705dfb754776dde0e2bba19bb238fdc55b7

  • SSDEEP

    12288:XMrHy90zWtBNxND1lQXDP9v4EebW1Z18AjRBB7q32xL8fIlH9lGRlGl6//eVc6c:0yznNrD1qpvdeGZiA9BB8XMHGylUGVcJ

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

redline

Botnet

ruma

C2

193.233.20.13:4136

Attributes
  • auth_value

    647d00dfaba082a4a30f383bca5d1a2a

Extracted

Family

amadey

Version

3.66

C2

193.233.20.4/t6r48nSa/index.php

Targets

    • Target

      file.exe

    • Size

      726KB

    • MD5

      648c0245ab28c9e2fdd0f4fd590741f4

    • SHA1

      db4ab2d22ae0fa7e684a6fe160a86e969f67534b

    • SHA256

      c3d4fe6b0be7239579f2c4e9fa10339eb359890766ac9c7d492d3b33a7e7dc75

    • SHA512

      8c000054fbdec3cfb331b19fba73f7d0f5eb424f27649928191213947852bf65e8d6b87a9301411cd102295fbd756705dfb754776dde0e2bba19bb238fdc55b7

    • SSDEEP

      12288:XMrHy90zWtBNxND1lQXDP9v4EebW1Z18AjRBB7q32xL8fIlH9lGRlGl6//eVc6c:0yznNrD1qpvdeGZiA9BB8XMHGylUGVcJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks