Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841

  • Size

    490KB

  • Sample

    230510-bks1tafe6x

  • MD5

    f19db1e1ba7eca01ce0231741775fcf9

  • SHA1

    e81388a99c1b9f733aa92c17e1e76445c298e571

  • SHA256

    e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841

  • SHA512

    bce53b7ea48697ce249d0f5af60683cc1fae2d36100947518963e37c7e4f3f6c141ec2a247b41cc1e09e66255ad68cc617b41828c0f77a8a5d07447a6fc475b9

  • SSDEEP

    12288:fMriy90ucCr6BVx4Fq4m8PCMOUh4SaT8KO5Iww:JyN6BnT4LLmO5Pw

Malware Config

Extracted

Family

redline

Botnet

lurfa

C2

217.196.96.102:4132

Attributes
  • auth_value

    f6c26c2a5c6c25ae5b2e9abf31f6341d

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Extracted

Family

vidar

Version

3.8

Botnet

fc67c63025837fde307ba18d95f5f729

C2

https://steamcommunity.com/profiles/76561198272578552

https://t.me/libpcre

Attributes
  • profile_id_v2

    fc67c63025837fde307ba18d95f5f729

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Targets

    • Target

      e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841

    • Size

      490KB

    • MD5

      f19db1e1ba7eca01ce0231741775fcf9

    • SHA1

      e81388a99c1b9f733aa92c17e1e76445c298e571

    • SHA256

      e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841

    • SHA512

      bce53b7ea48697ce249d0f5af60683cc1fae2d36100947518963e37c7e4f3f6c141ec2a247b41cc1e09e66255ad68cc617b41828c0f77a8a5d07447a6fc475b9

    • SSDEEP

      12288:fMriy90ucCr6BVx4Fq4m8PCMOUh4SaT8KO5Iww:JyN6BnT4LLmO5Pw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks