Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0ad26d3093034b50faa90c4e7f0f2f2c1bce0efde5bc07620895f69bb70e9c1c

  • Size

    1.2MB

  • Sample

    230506-y6yjrabd99

  • MD5

    2119a2204db38869a011c9cdd026f024

  • SHA1

    1fda8a77a79caa0e8d3e6510928f0deef54560f6

  • SHA256

    0ad26d3093034b50faa90c4e7f0f2f2c1bce0efde5bc07620895f69bb70e9c1c

  • SHA512

    46c4e1ae21b607d36a6ad25f5cd897e878b169c85f9858646434b872a027ef586a80e66f20ebd739076def2aea32cdc0c54c11f767e82c170eb0c85ff4e2149c

  • SSDEEP

    24576:iyJ9LQISUdMNRkSp+6Z7SjBGnbQEsfQzFinveTn+dX8DfE:JHLQdUYRqI0BobQViiveD+If

Malware Config

Extracted

Family

redline

Botnet

luna

C2

217.196.96.56:4138

Attributes
  • auth_value

    16dec8addb01db1c11c59667022ef7a2

Extracted

Family

redline

Botnet

boom

C2

217.196.96.56:4138

Attributes
  • auth_value

    1ce6aebe15bac07a7bc88b114bc49335

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      0ad26d3093034b50faa90c4e7f0f2f2c1bce0efde5bc07620895f69bb70e9c1c

    • Size

      1.2MB

    • MD5

      2119a2204db38869a011c9cdd026f024

    • SHA1

      1fda8a77a79caa0e8d3e6510928f0deef54560f6

    • SHA256

      0ad26d3093034b50faa90c4e7f0f2f2c1bce0efde5bc07620895f69bb70e9c1c

    • SHA512

      46c4e1ae21b607d36a6ad25f5cd897e878b169c85f9858646434b872a027ef586a80e66f20ebd739076def2aea32cdc0c54c11f767e82c170eb0c85ff4e2149c

    • SSDEEP

      24576:iyJ9LQISUdMNRkSp+6Z7SjBGnbQEsfQzFinveTn+dX8DfE:JHLQdUYRqI0BobQViiveD+If

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks