Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1e0a9a6a6dbc719a4326c333ee95bbe6.exe

  • Size

    1014KB

  • Sample

    230322-x8dfxsah62

  • MD5

    1e0a9a6a6dbc719a4326c333ee95bbe6

  • SHA1

    8c440628251c732a94c8bf0fe700578eb0a00477

  • SHA256

    f4aef4e4264c997d4475ab1f26bc08d64cf1a7f4a49d44a651b4a5f6474179d3

  • SHA512

    5279ed48b9b56ed6f3e33038822e2aead507beae7c28f8a36b03974d17c7a932d893905f5ea83ae54e8a6e7f9b887574860b6782aea89e1b2aaaa246ecb1244f

  • SSDEEP

    24576:AyzUhB8R5d6QMYqrwgKCkP7ewkaGyUbg30BIr:HYhM5UZYq6f5FGM38I

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

sint

C2

193.233.20.31:4125

Attributes
  • auth_value

    9d9b763b4dcfbff1c06ef4743cc0399e

Extracted

Family

amadey

Version

3.68

C2

62.204.41.87/joomla/index.php

Targets

    • Target

      1e0a9a6a6dbc719a4326c333ee95bbe6.exe

    • Size

      1014KB

    • MD5

      1e0a9a6a6dbc719a4326c333ee95bbe6

    • SHA1

      8c440628251c732a94c8bf0fe700578eb0a00477

    • SHA256

      f4aef4e4264c997d4475ab1f26bc08d64cf1a7f4a49d44a651b4a5f6474179d3

    • SHA512

      5279ed48b9b56ed6f3e33038822e2aead507beae7c28f8a36b03974d17c7a932d893905f5ea83ae54e8a6e7f9b887574860b6782aea89e1b2aaaa246ecb1244f

    • SSDEEP

      24576:AyzUhB8R5d6QMYqrwgKCkP7ewkaGyUbg30BIr:HYhM5UZYq6f5FGM38I

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks