Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    05ef523a2d6430dd50e4064cba14a06bd4345ef1e9fd41634a0edb3efefe7583

  • Size

    1.0MB

  • Sample

    230421-sfk8vagb92

  • MD5

    faee8ba1446ba3e97e93c37cfb7b11bd

  • SHA1

    6304baec64bdb8aa62b508dba38bc33ba7e3a47e

  • SHA256

    05ef523a2d6430dd50e4064cba14a06bd4345ef1e9fd41634a0edb3efefe7583

  • SHA512

    fbbd632cbc16ab54faa531cc5ce2898563cc99b1933af85a698b03b69bbbbbb215a00662d8ce95e9e5e515898b2bbd93ffa416f70b580c21f5392a694b290486

  • SSDEEP

    24576:YybeMHucXbPhDCk1Rj5lGCYUDZsl2tsGc8MW8sBf:fbeMOcThrR5sCbecyz8M7I

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

redline

Botnet

Heavan Dave

C2

199.115.193.116:15763

Attributes
  • auth_value

    53923b5ff123b63db4445e5dfd21c16f

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Targets

    • Target

      05ef523a2d6430dd50e4064cba14a06bd4345ef1e9fd41634a0edb3efefe7583

    • Size

      1.0MB

    • MD5

      faee8ba1446ba3e97e93c37cfb7b11bd

    • SHA1

      6304baec64bdb8aa62b508dba38bc33ba7e3a47e

    • SHA256

      05ef523a2d6430dd50e4064cba14a06bd4345ef1e9fd41634a0edb3efefe7583

    • SHA512

      fbbd632cbc16ab54faa531cc5ce2898563cc99b1933af85a698b03b69bbbbbb215a00662d8ce95e9e5e515898b2bbd93ffa416f70b580c21f5392a694b290486

    • SSDEEP

      24576:YybeMHucXbPhDCk1Rj5lGCYUDZsl2tsGc8MW8sBf:fbeMOcThrR5sCbecyz8M7I

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Laplas Clipper

      Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks