Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

106445763c...34.exe

windows7-x64

10

106445763c...34.exe

windows10-2004-x64

10

Resubmissions

23/11/2024, 19:36 UTC

241123-ybkpeasndx 10

13/07/2024, 16:26 UTC

240713-txqqbsybmj 3

13/07/2024, 15:27 UTC

240713-sv4czawfkl 3

08/04/2024, 13:45 UTC

240408-q2dpsaae25 10

21/11/2023, 22:21 UTC

231121-196ewagh72 10

21/11/2023, 22:20 UTC

231121-183ycshf5y 10

21/11/2023, 22:06 UTC

231121-1z2c6sgh38 10

27/08/2023, 18:38 UTC

230827-w98ssaee5z 10

01/06/2023, 22:35 UTC

230601-2h4yeagg74 10

21/04/2023, 17:56 UTC

230421-whz2kahb76 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • Size

    1.2MB

  • Sample

    230223-yzl75shb79

  • MD5

    5b3b6822964b4151c6200ecd89722a86

  • SHA1

    ce7a11dae532b2ade1c96619bbdc8a8325582049

  • SHA256

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • SHA512

    2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

  • SSDEEP

    24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score
10/10
amadeyfantomredlinefunkaronurdiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Extracted

Family

redline

Botnet

funka

C2

193.233.20.20:4134

Attributes
  • auth_value

    cdb395608d7ec633dce3d2f0c7fb0741

Extracted

Family

amadey

Version

3.67

C2

193.233.20.15/dF30Hn4m/index.php

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox fantomd12@yandex.ru or fantom12@techemail.com </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>DPLqTD72Ax1o6uUl1/zT1UwUNB9uBwFYz5nZFZMyyQwH30Y4KrLxBGP+GTvJypF0wUREX06hklGzsdLYI+najuvibK9IsKnG3bcBeiGs0PuYOF57YnoljTQNPVjNkQF8qERBEANZYpAvsl06JSsDjvrULy6I7BU+332xoeb1FmF/CcqcbKG33gwNv4FvXEpSAReLnkIqpBOSZ2/NpcjhRFIEzlJkwlwGslfwJtyIW/sDq0NZn5TCPhbYDaKkCOC3ESYnC9VtMN0MLe948KKYPjiupid0NeSQHwFBbIJnxYADVnsTZ+4LDtqGkj2dB/ttvZivnFzJ5A4wL4LC1W5NOg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>
Emails

fantomd12@yandex.ru

fantom12@techemail.com

Targets

    • Target

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • Size

      1.2MB

    • MD5

      5b3b6822964b4151c6200ecd89722a86

    • SHA1

      ce7a11dae532b2ade1c96619bbdc8a8325582049

    • SHA256

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • SHA512

      2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

    • SSDEEP

      24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

    Score
    10/10
    amadeyredlinefunkaronurdiscoveryevasioninfostealerpersistencespywarestealertrojanfantomransomware

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

      ransomwarefantom

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.