Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fc42d28f9eeec0dd307ebe570e96fa24ee1ce1eef9946300d6483f9f4a6979d7

  • Size

    1.4MB

  • Sample

    230503-vf5ctsfe24

  • MD5

    3b85760d0a63a4e188429476a74b1a35

  • SHA1

    8a8d4694b712bea24084629b32dbf87179e06710

  • SHA256

    fc42d28f9eeec0dd307ebe570e96fa24ee1ce1eef9946300d6483f9f4a6979d7

  • SHA512

    591279ec3b679268961f4f46cd4599caf25d9136b0d5bd80f7141b5cad336490412c266eaf195a16bafddd725f4f4655624e13c5ebd44259c7c18e0e870ea911

  • SSDEEP

    24576:jy/Wg2DpQathExdXOG061PkLBvm9CSTIOBQM0IgMC7zJ6w1vSHS:2/Wg2DWathEx9h0GPksCSTTulz6w16H

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes
  • auth_value

    31aef25be0febb8e491794ef7f502c50

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Extracted

Family

redline

Botnet

boom

C2

217.196.96.56:4138

Attributes
  • auth_value

    1ce6aebe15bac07a7bc88b114bc49335

Targets

    • Target

      fc42d28f9eeec0dd307ebe570e96fa24ee1ce1eef9946300d6483f9f4a6979d7

    • Size

      1.4MB

    • MD5

      3b85760d0a63a4e188429476a74b1a35

    • SHA1

      8a8d4694b712bea24084629b32dbf87179e06710

    • SHA256

      fc42d28f9eeec0dd307ebe570e96fa24ee1ce1eef9946300d6483f9f4a6979d7

    • SHA512

      591279ec3b679268961f4f46cd4599caf25d9136b0d5bd80f7141b5cad336490412c266eaf195a16bafddd725f4f4655624e13c5ebd44259c7c18e0e870ea911

    • SSDEEP

      24576:jy/Wg2DpQathExdXOG061PkLBvm9CSTIOBQM0IgMC7zJ6w1vSHS:2/Wg2DWathEx9h0GPksCSTTulz6w16H

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks