Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9097957ef74a711ac6380a85776aff304b66a2555b395f012c24b8c753ec72eb.zip

  • Size

    111KB

  • Sample

    230308-ndqy4afc6t

  • MD5

    857eabb2c3a0a9c466c321c1161ba4df

  • SHA1

    3347ac5f5400a7a7e5ee430a9985527ad845630c

  • SHA256

    8f81aea8532fa47818298688e4e5932bdb78bf3ecaa24e3f45e7a949f05ef123

  • SHA512

    7bd648b4ebbcc8cac4a2c6a80ef30c90fe838d703ab4e22f622cad90edc4c7662a569e6188bfecd5f6ab5782b4be8c606731b27debde68d16b3336d780ca7c6a

  • SSDEEP

    3072:u0B1vUyZ70cDUJZyM+mTqyXqvGSV1tAmp9slY9:R38yjeZUoqyXqvGQGmp9OU

Malware Config

Extracted

Family

amadey

Version

3.68

C2

77.91.78.17/0jVu73d/index.php

Extracted

Family

redline

C2

95.216.251.184:4321

Attributes
  • auth_value

    a909e2aaecf96137978fea4f86400b9b

Targets

    • Target

      9097957ef74a711ac6380a85776aff304b66a2555b395f012c24b8c753ec72eb.exe

    • Size

      244KB

    • MD5

      622779b345a28c3999e46f3d5a6a5ec8

    • SHA1

      21a4dc3be99afa3fba8ac935edaf14e6e59e43b0

    • SHA256

      9097957ef74a711ac6380a85776aff304b66a2555b395f012c24b8c753ec72eb

    • SHA512

      f1e24fa86e0421f50da47b634f3549f369604c476f42c18b692695ea44020d9b4cf8142e69752e3749317d678aac21e01eca787c2df30b134c28bf876cd79872

    • SSDEEP

      6144:raKMNkZYYYRHqz5yetq1+Gvuli30oU9ci68:udayF1tuli3c

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks