Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4830beb0d4f59745ebc1ae0f8518e1e0d21ed1d032694acb71b52bf276abed2e

  • Size

    1002KB

  • Sample

    230401-b37xpagd8v

  • MD5

    12db4a1d006e15c8046d0aa2d2266f22

  • SHA1

    34713e0dccd8bc1b884b7ce417a2fa3ddf354e39

  • SHA256

    4830beb0d4f59745ebc1ae0f8518e1e0d21ed1d032694acb71b52bf276abed2e

  • SHA512

    6690a5f9ad458a375770f812cb8b9f029230a15dc20f228a871703b2fa9485c57b73d866b95526fce7005985833b133b5810697d849365087649c000605a42f5

  • SSDEEP

    24576:byy+ySFI3wVgXCbyHfp/IIWxMRyu7xYChKh:O/yfHXCeHx/Dq4xY

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

C2

176.113.115.145:4125

Attributes
  • auth_value

    94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

C2

193.233.20.36/joomla/index.php

Targets

    • Target

      4830beb0d4f59745ebc1ae0f8518e1e0d21ed1d032694acb71b52bf276abed2e

    • Size

      1002KB

    • MD5

      12db4a1d006e15c8046d0aa2d2266f22

    • SHA1

      34713e0dccd8bc1b884b7ce417a2fa3ddf354e39

    • SHA256

      4830beb0d4f59745ebc1ae0f8518e1e0d21ed1d032694acb71b52bf276abed2e

    • SHA512

      6690a5f9ad458a375770f812cb8b9f029230a15dc20f228a871703b2fa9485c57b73d866b95526fce7005985833b133b5810697d849365087649c000605a42f5

    • SSDEEP

      24576:byy+ySFI3wVgXCbyHfp/IIWxMRyu7xYChKh:O/yfHXCeHx/Dq4xY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks