Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Setu_WINFile_x64x32.rar

  • Size

    11.9MB

  • Sample

    230318-24y92sea66

  • MD5

    51758e35b89dac420595b974d17cd3e1

  • SHA1

    c0784ad432efa0ab92978a9050336ae27cce5c2d

  • SHA256

    40e2a4a10fafb03f8c2702b577cfd05de14fbdbd36d87d76c1a99cdf8e497dbb

  • SHA512

    ac5ad08dfb75520d59e4fe8d1d21f369af1db6ee3ccb1de007e73a14e92ce5ff414464a29dc99b2021ed4c233cb606095fb6f1ea6a82074c317fbe024d2f6fe4

  • SSDEEP

    196608:UWdJhtu32tt4579WDlks99FjCfV5MU7c1Uj9R03pKyzxXL0rKECdn1FSYD/wUzo9:57tltt0BWDl19fE5MF1+R0FzxXAidn1G

Malware Config

Extracted

Family

amadey

Version

3.68

C2

77.91.78.17/0jVu73d/index.php

Extracted

Family

redline

C2

135.181.173.163:4323

Attributes
  • auth_value

    a909e2aaecf96137978fea4f86400b9b

Targets

    • Target

      Setu_WINFile_x64x32/Set_WINFile_x64x32.exe

    • Size

      667.6MB

    • MD5

      42cf398e01cf3f15dc1575bad83b703f

    • SHA1

      d3556d724fb4fffdb256d2ceb6ae715d8663cd10

    • SHA256

      344e36cb4ec5e07ad74f5ee8122575f872048a698d058a9d02ffe4f15f88f810

    • SHA512

      8eb5b30cfb993d8bfaa8234b0f1856f81847ede0522c6cac7a2adaaaf9fb37119f7031c73a64ea6bec93aebf3695a380c38a999e7186323f2b0d6af954162d02

    • SSDEEP

      3072:eD6LUbp7KirwsT3cOHC4HIr0tr19ZyUa+zqBMxvKrf+LigBh2AGloxQNwed2tsp9:O6Awi0sTMOtH6crLdkWTpLedGEgGTMQt

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks