Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b4794c64116ed201f03a9c2f79b14534663e704f6c829781b2880c7bd08ae782.exe

  • Size

    1.0MB

  • Sample

    230518-rcwdzabb5y

  • MD5

    87b7719f97471b9012ab80a9117c9d64

  • SHA1

    95a37b2eda6cdd36972da042850299358726f369

  • SHA256

    b4794c64116ed201f03a9c2f79b14534663e704f6c829781b2880c7bd08ae782

  • SHA512

    74b4101f22a393874565f65a58da94c12b0ac450687a5db00f69f6f8b1b455633846c7b6d79f9f62a6029cf0bfd0ab1204dd3a1a295336005c4604242ae97881

  • SSDEEP

    24576:fyh43l9bdoyjoKDSFXQbABaXDjBfO3TLXF:qm9poyjDSFXQbA4TpO/X

Malware Config

Extracted

Family

redline

Botnet

luna

C2

77.91.68.253:4138

Attributes
  • auth_value

    16dec8addb01db1c11c59667022ef7a2

Targets

    • Target

      b4794c64116ed201f03a9c2f79b14534663e704f6c829781b2880c7bd08ae782.exe

    • Size

      1.0MB

    • MD5

      87b7719f97471b9012ab80a9117c9d64

    • SHA1

      95a37b2eda6cdd36972da042850299358726f369

    • SHA256

      b4794c64116ed201f03a9c2f79b14534663e704f6c829781b2880c7bd08ae782

    • SHA512

      74b4101f22a393874565f65a58da94c12b0ac450687a5db00f69f6f8b1b455633846c7b6d79f9f62a6029cf0bfd0ab1204dd3a1a295336005c4604242ae97881

    • SSDEEP

      24576:fyh43l9bdoyjoKDSFXQbABaXDjBfO3TLXF:qm9poyjDSFXQbA4TpO/X

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks