Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    14e15fdec7a6332c3dcabb0b06c52907c8c72cf36ab2f069cd5eeaba1a09af9f

  • Size

    992KB

  • Sample

    230331-chmaxshf6s

  • MD5

    8530197e3cd83785e5987496e75e0cf3

  • SHA1

    b43956b0123a5233e8ff23486a00cf4b4927be92

  • SHA256

    14e15fdec7a6332c3dcabb0b06c52907c8c72cf36ab2f069cd5eeaba1a09af9f

  • SHA512

    ce9a7f6f6d1cbc474b2388ba6d7c16837dfeb7fda1c2dea2e36a155ad7e82aabf5318b5ee47e21d8b4ddc927f95736939b7349f8735f9b8e59aacb3eec2581ef

  • SSDEEP

    12288:hMrTy90WM9c6X1w0VSAeJnUdO3fyqW0Ld73hYOLalNA0keEcgrsL/1gRBmwxR0uD:ey10AAeJnUdO3fysLd736lNFTX+GAdj

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

liba

C2

176.113.115.145:4125

Attributes
  • auth_value

    1a62e130767ad862d1fb9d7ab0115025

Extracted

Family

amadey

Version

3.69

C2

193.233.20.36/joomla/index.php

Targets

    • Target

      14e15fdec7a6332c3dcabb0b06c52907c8c72cf36ab2f069cd5eeaba1a09af9f

    • Size

      992KB

    • MD5

      8530197e3cd83785e5987496e75e0cf3

    • SHA1

      b43956b0123a5233e8ff23486a00cf4b4927be92

    • SHA256

      14e15fdec7a6332c3dcabb0b06c52907c8c72cf36ab2f069cd5eeaba1a09af9f

    • SHA512

      ce9a7f6f6d1cbc474b2388ba6d7c16837dfeb7fda1c2dea2e36a155ad7e82aabf5318b5ee47e21d8b4ddc927f95736939b7349f8735f9b8e59aacb3eec2581ef

    • SSDEEP

      12288:hMrTy90WM9c6X1w0VSAeJnUdO3fyqW0Ld73hYOLalNA0keEcgrsL/1gRBmwxR0uD:ey10AAeJnUdO3fysLd736lNFTX+GAdj

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks