Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4a5831b7af2f328cdb2f3f291168fec3ded1f1564e0e06d9a94b8057159a8b25

  • Size

    1022KB

  • Sample

    230518-zpaa9scg6z

  • MD5

    72aeddc2cc83a1fccaeaa672760fbb54

  • SHA1

    521b66efadceb97c3a938ddb6930a6e302dadb61

  • SHA256

    4a5831b7af2f328cdb2f3f291168fec3ded1f1564e0e06d9a94b8057159a8b25

  • SHA512

    f2ba11fb472d2c19bca32efbc0de0158a060b43dc51583bd16468a5800adb718dd1a6cd6feacd19417e9ee2dd82f4a668548330499359bc58b9d01b2da66273b

  • SSDEEP

    24576:zyuR3GLDLaSbwfLIsWrrEk/3T9PEWBPPkCzvL:G0ObXsWrIk/VEWBHkCz

Malware Config

Extracted

Family

redline

Botnet

dako

C2

77.91.68.253:41783

Attributes
  • auth_value

    c6bc6a7edb74e0eff37800710e07bee1

Targets

    • Target

      4a5831b7af2f328cdb2f3f291168fec3ded1f1564e0e06d9a94b8057159a8b25

    • Size

      1022KB

    • MD5

      72aeddc2cc83a1fccaeaa672760fbb54

    • SHA1

      521b66efadceb97c3a938ddb6930a6e302dadb61

    • SHA256

      4a5831b7af2f328cdb2f3f291168fec3ded1f1564e0e06d9a94b8057159a8b25

    • SHA512

      f2ba11fb472d2c19bca32efbc0de0158a060b43dc51583bd16468a5800adb718dd1a6cd6feacd19417e9ee2dd82f4a668548330499359bc58b9d01b2da66273b

    • SSDEEP

      24576:zyuR3GLDLaSbwfLIsWrrEk/3T9PEWBPPkCzvL:G0ObXsWrIk/VEWBHkCz

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks