Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ef76b40c8c8bb7aea025d9e20e046a19553bf1d0d6f62bde287f21e72f544dee

  • Size

    1.1MB

  • Sample

    230514-edpllach5s

  • MD5

    f419cef1eb73fab1d86bbf07221cee8d

  • SHA1

    33eb3c4a3e3e1c2038cb78df77ae9c893eb4f759

  • SHA256

    ef76b40c8c8bb7aea025d9e20e046a19553bf1d0d6f62bde287f21e72f544dee

  • SHA512

    24696fe8974c97863b6a89a825f8c4197a7940e06be8dd3be41bc17ca80ed0e485b5afc4082b8a7abb4180f913aad47e1166abd59466d5cb656ed68f7d12c2b3

  • SSDEEP

    24576:6yNQEBmQ6qRc3vM5nrm6BtWMNtoBnKEfeccADirNg438PkAGEd:BNQEoonr7qMNtoBnvfi0H438PkAP

Malware Config

Extracted

Family

redline

Botnet

motor

C2

185.161.248.75:4132

Attributes
  • auth_value

    ec19ab9989a783983c5cbbc0e5ac4a5f

Extracted

Family

redline

Botnet

terra

C2

185.161.248.75:4132

Attributes
  • auth_value

    60df3f535f8aa4e264f78041983592d2

Targets

    • Target

      ef76b40c8c8bb7aea025d9e20e046a19553bf1d0d6f62bde287f21e72f544dee

    • Size

      1.1MB

    • MD5

      f419cef1eb73fab1d86bbf07221cee8d

    • SHA1

      33eb3c4a3e3e1c2038cb78df77ae9c893eb4f759

    • SHA256

      ef76b40c8c8bb7aea025d9e20e046a19553bf1d0d6f62bde287f21e72f544dee

    • SHA512

      24696fe8974c97863b6a89a825f8c4197a7940e06be8dd3be41bc17ca80ed0e485b5afc4082b8a7abb4180f913aad47e1166abd59466d5cb656ed68f7d12c2b3

    • SSDEEP

      24576:6yNQEBmQ6qRc3vM5nrm6BtWMNtoBnKEfeccADirNg438PkAGEd:BNQEoonr7qMNtoBnvfi0H438PkAP

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks