Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f807cd77d6fc15219f412601a11d9bee61c05dd0f083334a3c5c23427e3f08f3

  • Size

    1.0MB

  • Sample

    230518-yvpsgacf7t

  • MD5

    7c6f7c7e8f2e85a604614fca949b326a

  • SHA1

    380a09955fb81dd55013b05cbbd184b0df1ea589

  • SHA256

    f807cd77d6fc15219f412601a11d9bee61c05dd0f083334a3c5c23427e3f08f3

  • SHA512

    81617bf6037ce9273f9261b44c566556cfcb2346e79e939e03f7eb0239570c4576fd571ae6ce1c0a8c9ba61124e4b4c673cedd74e95ebad9d8be3dfdda3a239c

  • SSDEEP

    24576:4yA731oQq/ofPRF9zk5N0w5ftQHxGEu1nC+aRBMJj3EDa:/U3+Qq/aBzk3Z2D0nARKJ

Malware Config

Extracted

Family

redline

Botnet

dako

C2

77.91.68.253:41783

Attributes
  • auth_value

    c6bc6a7edb74e0eff37800710e07bee1

Targets

    • Target

      f807cd77d6fc15219f412601a11d9bee61c05dd0f083334a3c5c23427e3f08f3

    • Size

      1.0MB

    • MD5

      7c6f7c7e8f2e85a604614fca949b326a

    • SHA1

      380a09955fb81dd55013b05cbbd184b0df1ea589

    • SHA256

      f807cd77d6fc15219f412601a11d9bee61c05dd0f083334a3c5c23427e3f08f3

    • SHA512

      81617bf6037ce9273f9261b44c566556cfcb2346e79e939e03f7eb0239570c4576fd571ae6ce1c0a8c9ba61124e4b4c673cedd74e95ebad9d8be3dfdda3a239c

    • SSDEEP

      24576:4yA731oQq/ofPRF9zk5N0w5ftQHxGEu1nC+aRBMJj3EDa:/U3+Qq/aBzk3Z2D0nARKJ

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks