Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    938673925454f6f669e6a41f271eab06.exe

  • Size

    2.6MB

  • Sample

    230415-kepwmsde58

  • MD5

    938673925454f6f669e6a41f271eab06

  • SHA1

    d5999b564fc9dcfff98bc41ff81db13bc1265f17

  • SHA256

    e40fead052850b5d2c4ef6d699c15af82eaee437784b0f359abf5dcc78852b8a

  • SHA512

    17a6c314588efe7da5f9edf109afaf351bd66bc5c2f8706c036f0ae37f206d4cbb8c37225050fc82b1d4099bb576c933d9224bffca04d0756b482077bafa61ec

  • SSDEEP

    49152:IBJ3XfUVsjwRiI38ihJkravhRJVlsVLR7Ideh9EUkUtxheicMSN:y1XfUVsjwsGhJk0hRJcGdehGQ07

Malware Config

Extracted

Family

redline

Botnet

red1

C2

79.137.202.0:81

Attributes
  • auth_value

    149c864a8f73ae7e8a9904bc94f60da1

Extracted

Family

laplas

C2

http://79.137.199.252

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Targets

    • Target

      938673925454f6f669e6a41f271eab06.exe

    • Size

      2.6MB

    • MD5

      938673925454f6f669e6a41f271eab06

    • SHA1

      d5999b564fc9dcfff98bc41ff81db13bc1265f17

    • SHA256

      e40fead052850b5d2c4ef6d699c15af82eaee437784b0f359abf5dcc78852b8a

    • SHA512

      17a6c314588efe7da5f9edf109afaf351bd66bc5c2f8706c036f0ae37f206d4cbb8c37225050fc82b1d4099bb576c933d9224bffca04d0756b482077bafa61ec

    • SSDEEP

      49152:IBJ3XfUVsjwRiI38ihJkravhRJVlsVLR7Ideh9EUkUtxheicMSN:y1XfUVsjwsGhJk0hRJcGdehGQ07

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks