Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    480064974eb314aeed02e1f1c3ab68a6e46f1f8cf5329e92ec6a8d367c0df654

  • Size

    599KB

  • Sample

    230505-wzrrhscg77

  • MD5

    802858c38a71e3f9e4b0b9b730f5f39d

  • SHA1

    efb923bcb3327057df0bffa409ea91d78fdb2559

  • SHA256

    480064974eb314aeed02e1f1c3ab68a6e46f1f8cf5329e92ec6a8d367c0df654

  • SHA512

    ddf66b6533ad7d0ba2f565ed6a45bca7df7c197932a08dd30a78cc986e7ca2d614486b6ef2b24419ec3903991c87e77df4d0c07c699b430846c79ee4bfc20484

  • SSDEEP

    12288:KMrwy90AAb0dWtQiavoX1I0gvgfIPGQKegaWEGaf0VeDX:GyHAb0k+iagazGA+/mDX

Malware Config

Targets

    • Target

      480064974eb314aeed02e1f1c3ab68a6e46f1f8cf5329e92ec6a8d367c0df654

    • Size

      599KB

    • MD5

      802858c38a71e3f9e4b0b9b730f5f39d

    • SHA1

      efb923bcb3327057df0bffa409ea91d78fdb2559

    • SHA256

      480064974eb314aeed02e1f1c3ab68a6e46f1f8cf5329e92ec6a8d367c0df654

    • SHA512

      ddf66b6533ad7d0ba2f565ed6a45bca7df7c197932a08dd30a78cc986e7ca2d614486b6ef2b24419ec3903991c87e77df4d0c07c699b430846c79ee4bfc20484

    • SSDEEP

      12288:KMrwy90AAb0dWtQiavoX1I0gvgfIPGQKegaWEGaf0VeDX:GyHAb0k+iagazGA+/mDX

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks