Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    81ffeaf62fc612b4cc4bae5ba7b6de526fd7c3b27f6507311dfeadefc63cdad1

  • Size

    643KB

  • Sample

    230505-w7zgbsfh4t

  • MD5

    2cc7aa7e0168eb2592a7a8def853bfd0

  • SHA1

    a24ea40f7af17ad880bb435787f2ad638f10fb0b

  • SHA256

    81ffeaf62fc612b4cc4bae5ba7b6de526fd7c3b27f6507311dfeadefc63cdad1

  • SHA512

    8979348294d0f81fc7c650b29b2fd3a729c9106ab2a49671b4d02784b5c6711d26f7e67d9720f5265bbecbc46e86b8f701fef53c98bd3c15ccab6688243ad25c

  • SSDEEP

    12288:9MrAy90hHOH8MDk19op7shYB+R8ZJHft0NdOggdOxXBCSltLA:1yfvk1OecI8r2Xy4RCSvLA

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Targets

    • Target

      81ffeaf62fc612b4cc4bae5ba7b6de526fd7c3b27f6507311dfeadefc63cdad1

    • Size

      643KB

    • MD5

      2cc7aa7e0168eb2592a7a8def853bfd0

    • SHA1

      a24ea40f7af17ad880bb435787f2ad638f10fb0b

    • SHA256

      81ffeaf62fc612b4cc4bae5ba7b6de526fd7c3b27f6507311dfeadefc63cdad1

    • SHA512

      8979348294d0f81fc7c650b29b2fd3a729c9106ab2a49671b4d02784b5c6711d26f7e67d9720f5265bbecbc46e86b8f701fef53c98bd3c15ccab6688243ad25c

    • SSDEEP

      12288:9MrAy90hHOH8MDk19op7shYB+R8ZJHft0NdOggdOxXBCSltLA:1yfvk1OecI8r2Xy4RCSvLA

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks