Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    862a0a68c747cbabd3447273b160a392.bin

  • Size

    833KB

  • Sample

    230516-bw9spsba27

  • MD5

    22661143211f732a2cc6e0ee379d0fac

  • SHA1

    aa2a1632321c95e0cab793b5cbf5cbe78ffed38c

  • SHA256

    5cdc6cc88bd27b48911efd9d52ab4121f6dd8ea3e1b176b0fc1bde23f0ce8712

  • SHA512

    a50a4217dbd0327aa980558e75ee841cd404a444cac92dd9eaf89b67256df31cebc8babe2f47d135962f36d2c313e13ee09e35d67eef0bc4195f4bb115ee9baa

  • SSDEEP

    12288:x72G8E2CNP7v9aPpIpTFWrSt2fimZ+p/X4RCAGaazphi1mxWswYuy0gq/hi8fo59:B1z571q2Orh5Exp4mxpet/1o56Y7A+

Malware Config

Extracted

Family

redline

Botnet

dimas

C2

185.161.248.75:4132

Attributes
  • auth_value

    a5db9b1c53c704e612bccc93ccdb5539

Extracted

Family

redline

Botnet

roza

C2

185.161.248.75:4132

Attributes
  • auth_value

    3e701c8c522386806a8f1f40a90873a7

Targets

    • Target

      ffb2caf2181442fa0c3f45eb342e31f7283eeaa8786f5ccffe0f8bfcfd166e8f.exe

    • Size

      876KB

    • MD5

      862a0a68c747cbabd3447273b160a392

    • SHA1

      3a4a94fc803dcbfd0a280fbbcc736f701a1708fe

    • SHA256

      ffb2caf2181442fa0c3f45eb342e31f7283eeaa8786f5ccffe0f8bfcfd166e8f

    • SHA512

      48bdd455298ba0fb13df50a8414290a186955fd707da19d636505c663ef58a945a8b0fe9806c4468a90dcbc1c2bd686e377d0fc0602b6702bfab93cb1e130df5

    • SSDEEP

      12288:CMriy9077nTnJ0eAkGfy02XWQUibRQrrqXxyMWOrLMoyGdtN/lEWadBc1zkT1ot:0y8nTnKvibggxxWvoyiEBc6TWt

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks