Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e63f4b5a91cc2355ef33235e3ef138e82d168a3e9dd929101d775df6478a9360.bin

  • Size

    867KB

  • Sample

    230501-xkqrcagb4v

  • MD5

    c4de65fb82daa97d657be2c6d0ee977c

  • SHA1

    2b4752edfcb2137ecc6ccc73b460be1d49921a59

  • SHA256

    e63f4b5a91cc2355ef33235e3ef138e82d168a3e9dd929101d775df6478a9360

  • SHA512

    bd1e1526f0d9ee74c1dbb3293074d3dea0aa3abb5dde3cca9fca6d30e1a312ae10d904f0211015c781e70065ba247c4b206b68a85ddb9cf9e8d1af883818f550

  • SSDEEP

    12288:cy90vlTu/pBetfuIHcQj6iDu68fWb/YLAUHMpzjKngK34qEPpWw7vlkfiMx/gksT:cymySH/FKXfc/0AUs1jyR4XBZzmrVg3

Malware Config

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

dark

C2

185.161.248.73:4164

Attributes
  • auth_value

    ae85b01f66afe8770afeed560513fc2d

Targets

    • Target

      e63f4b5a91cc2355ef33235e3ef138e82d168a3e9dd929101d775df6478a9360.bin

    • Size

      867KB

    • MD5

      c4de65fb82daa97d657be2c6d0ee977c

    • SHA1

      2b4752edfcb2137ecc6ccc73b460be1d49921a59

    • SHA256

      e63f4b5a91cc2355ef33235e3ef138e82d168a3e9dd929101d775df6478a9360

    • SHA512

      bd1e1526f0d9ee74c1dbb3293074d3dea0aa3abb5dde3cca9fca6d30e1a312ae10d904f0211015c781e70065ba247c4b206b68a85ddb9cf9e8d1af883818f550

    • SSDEEP

      12288:cy90vlTu/pBetfuIHcQj6iDu68fWb/YLAUHMpzjKngK34qEPpWw7vlkfiMx/gksT:cymySH/FKXfc/0AUs1jyR4XBZzmrVg3

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks