Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6e03d1e3c363907151d66c7c12ff99d55fce1f467b8a903d5c985640656ac083

  • Size

    600KB

  • Sample

    230504-lvmlwsbd65

  • MD5

    4fe35b7a52b6d2b607a84e28a3fde4e0

  • SHA1

    46907876d87c47755932b70cf20f5baa61e9a766

  • SHA256

    6e03d1e3c363907151d66c7c12ff99d55fce1f467b8a903d5c985640656ac083

  • SHA512

    cef04c41a61d8a6bd3e37d71d663dac9466c586270ec2164338ed2c69289afe4d2e5d5a3c84bdbe5f04f174d6dc4ffb46523e79e423cd3a63fba136e20fb32b9

  • SSDEEP

    12288:OMrKy90igqznx0y5gt7lfNmJBtPjziC7VGRlVyv1I:gyNfaNQBlj+C7UjVym

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Targets

    • Target

      6e03d1e3c363907151d66c7c12ff99d55fce1f467b8a903d5c985640656ac083

    • Size

      600KB

    • MD5

      4fe35b7a52b6d2b607a84e28a3fde4e0

    • SHA1

      46907876d87c47755932b70cf20f5baa61e9a766

    • SHA256

      6e03d1e3c363907151d66c7c12ff99d55fce1f467b8a903d5c985640656ac083

    • SHA512

      cef04c41a61d8a6bd3e37d71d663dac9466c586270ec2164338ed2c69289afe4d2e5d5a3c84bdbe5f04f174d6dc4ffb46523e79e423cd3a63fba136e20fb32b9

    • SSDEEP

      12288:OMrKy90igqznx0y5gt7lfNmJBtPjziC7VGRlVyv1I:gyNfaNQBlj+C7UjVym

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks