Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d02b3a55b79aa8d477c9ebd482fc0742474b5bd599e85c32bca6c7d7f4be6bfc

  • Size

    1.5MB

  • Sample

    230505-ygpkjscd5x

  • MD5

    fb0e5dde6a62026e9094f61e327e08dc

  • SHA1

    53a24a2e2751be225ad4129ce4c7a7d591dcaf2b

  • SHA256

    d02b3a55b79aa8d477c9ebd482fc0742474b5bd599e85c32bca6c7d7f4be6bfc

  • SHA512

    1c51752a7f2c7ae4773325f91654204c067fc7e90ecf1881b783445f258299ccce7eb1e4d9c755f171b3c67d74e4f890f67637c4f2deca68acc16063f31d2646

  • SSDEEP

    24576:SyC2lF1moJds6oAZSwBtQc9A4Mv+45/j5WO7dkWEDGlkuW8C1zJjnlyNFQ:5CW7s6awQtBv+45/j5W8iSlP4jl

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes
  • auth_value

    31aef25be0febb8e491794ef7f502c50

Extracted

Family

redline

Botnet

boom

C2

217.196.96.56:4138

Attributes
  • auth_value

    1ce6aebe15bac07a7bc88b114bc49335

Targets

    • Target

      d02b3a55b79aa8d477c9ebd482fc0742474b5bd599e85c32bca6c7d7f4be6bfc

    • Size

      1.5MB

    • MD5

      fb0e5dde6a62026e9094f61e327e08dc

    • SHA1

      53a24a2e2751be225ad4129ce4c7a7d591dcaf2b

    • SHA256

      d02b3a55b79aa8d477c9ebd482fc0742474b5bd599e85c32bca6c7d7f4be6bfc

    • SHA512

      1c51752a7f2c7ae4773325f91654204c067fc7e90ecf1881b783445f258299ccce7eb1e4d9c755f171b3c67d74e4f890f67637c4f2deca68acc16063f31d2646

    • SSDEEP

      24576:SyC2lF1moJds6oAZSwBtQc9A4Mv+45/j5WO7dkWEDGlkuW8C1zJjnlyNFQ:5CW7s6awQtBv+45/j5W8iSlP4jl

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks