Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    99fdc3f2480ce3d3446916cce4ab33f71c52e1713eed7c8a8f9dc0f51cafa03d

  • Size

    875KB

  • Sample

    230511-vesbwaah9t

  • MD5

    23332cdd082af5d98bbd2b261164253f

  • SHA1

    1f686409309ed3f4d6ffbaec4e6c13c980bfa3d8

  • SHA256

    99fdc3f2480ce3d3446916cce4ab33f71c52e1713eed7c8a8f9dc0f51cafa03d

  • SHA512

    05d1e55647b6608cb87cd2d4374eb63d73355b91c433ff60a896dc9803f9236c7fb62d074251e4e24bd48f9a84499e9644d336db30535ce623c29f206e58ee5b

  • SSDEEP

    24576:pydxrE/44VDt2pOEwp3ntFFeVwLnzlCaVuv:cdxrE/44qe3tamjzlCag

Malware Config

Extracted

Family

redline

Botnet

mixer

C2

185.161.248.75:4132

Attributes
  • auth_value

    3668eba4f0cb1021a9e9ed55e76ed85e

Extracted

Family

redline

Botnet

roza

C2

185.161.248.75:4132

Attributes
  • auth_value

    3e701c8c522386806a8f1f40a90873a7

Targets

    • Target

      99fdc3f2480ce3d3446916cce4ab33f71c52e1713eed7c8a8f9dc0f51cafa03d

    • Size

      875KB

    • MD5

      23332cdd082af5d98bbd2b261164253f

    • SHA1

      1f686409309ed3f4d6ffbaec4e6c13c980bfa3d8

    • SHA256

      99fdc3f2480ce3d3446916cce4ab33f71c52e1713eed7c8a8f9dc0f51cafa03d

    • SHA512

      05d1e55647b6608cb87cd2d4374eb63d73355b91c433ff60a896dc9803f9236c7fb62d074251e4e24bd48f9a84499e9644d336db30535ce623c29f206e58ee5b

    • SSDEEP

      24576:pydxrE/44VDt2pOEwp3ntFFeVwLnzlCaVuv:cdxrE/44qe3tamjzlCag

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks