Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
0x00060000000130e0-1007.dat
-
Size
235KB
-
Sample
230302-ytrwfaee86
-
MD5
f6bb53738cf4603c7ce4aa8217857ae6
-
SHA1
5a001bb6e34b3360d7ecf911be560f872a3de20a
-
SHA256
e3ee5ab2a8a569a40facbe16cf960548fe70350fe8003c6c14b37255e5084239
-
SHA512
127b02f89f523a225e750093d9ef72f9b60c1d6e996d6b09104c7f9b0507d1c271ce780f8c43cdb8c6e2049bb663d7c5551ae9c95886de9a4a17d70b01c308c3
-
SSDEEP
6144:R/qDDbAZiwe41jLDzpZWS2ouViF3DIkJk:t7xjLLW+uViNI7
Behavioral task
behavioral1
Sample
0x00060000000130e0-1007.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.68
193.233.20.26/Do3m4Gor/index.php
Extracted
redline
stek
melevv.eu:4162
-
auth_value
4205381daf6946b2df5fe3bc7eacc918
Extracted
redline
fomich
melevv.eu:4162
-
auth_value
b018e52ac946001794d8b8c23e901859
Targets
-
-
Target
0x00060000000130e0-1007.dat
-
Size
235KB
-
MD5
f6bb53738cf4603c7ce4aa8217857ae6
-
SHA1
5a001bb6e34b3360d7ecf911be560f872a3de20a
-
SHA256
e3ee5ab2a8a569a40facbe16cf960548fe70350fe8003c6c14b37255e5084239
-
SHA512
127b02f89f523a225e750093d9ef72f9b60c1d6e996d6b09104c7f9b0507d1c271ce780f8c43cdb8c6e2049bb663d7c5551ae9c95886de9a4a17d70b01c308c3
-
SSDEEP
6144:R/qDDbAZiwe41jLDzpZWS2ouViF3DIkJk:t7xjLLW+uViNI7
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1