Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    87b3b41f6995b1084ef90a5aaf09877a.bin

  • Size

    996KB

  • Sample

    230329-bs7h6sec26

  • MD5

    893fb28e0fa3bc711b390a84cfc81cc1

  • SHA1

    052eddd428cad45a058d074aebc1b51fcf259d27

  • SHA256

    5ab6dc3c9902e5e78a47756d41311d2536bf3c4681ce7a8cb846b088b7495e13

  • SHA512

    b529bba4dbb0a6e03167b5b28b2d663eb8ae0cbd102b40a9470cbd04f1cde96c1be85a3c77a41d5d284408e1ac2efd9d385310387255b116bba43e86c8e7fea8

  • SSDEEP

    24576:1gkoqJfPud1wnYQZrN9ar1bFqa3YS33wuX7:hoqJHudj+N9a5Fq9Snwur

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

C2

176.113.115.145:4125

Attributes
  • auth_value

    359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Targets

    • Target

      0494fa919445dde14089ec1df4683fed61b2c0bec370ae99c33250e5a7814293.exe

    • Size

      1.0MB

    • MD5

      87b3b41f6995b1084ef90a5aaf09877a

    • SHA1

      709fd8289f3f9eb893648e0d09bc9878c0b3c73f

    • SHA256

      0494fa919445dde14089ec1df4683fed61b2c0bec370ae99c33250e5a7814293

    • SHA512

      f3e9a59dc26f80b3b766e28675300cbaf40f12e18cea5a7414d12158610800aa3d31d00a947f114ea442441a6193b4e03e6128ab2c1b3463fb92cd2a1af068b0

    • SSDEEP

      24576:YyCvCcAqrvDEPN0logVJzO1ICMPY9qIV:fCvDEPNKRa1I0

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks