Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6c446eb6dba3bf84d2cb9ad311b10a2168c7dbbffeadbf0be04ca4a49b286e44

  • Size

    1.0MB

  • Sample

    230520-wh6jcage6w

  • MD5

    a08062fac8d40c23d1cf65fffe88ab1e

  • SHA1

    6722f113f57b66981b43df98bab2d2e4c03ee3ae

  • SHA256

    6c446eb6dba3bf84d2cb9ad311b10a2168c7dbbffeadbf0be04ca4a49b286e44

  • SHA512

    50a081de498fbd19385e2730b254855fc3657dbdef9e3b0453a885a1947475c7e7e84688b87cc5ce1fe5e2157fd17bc046b9f5a5035d440e3146ee5ed0b36b38

  • SSDEEP

    24576:4yTU/XOLDa6gGTymCkb0uybnyqKrHOQ/6OdYNbof4:/TWabBRoZzKruQi2YZof

Malware Config

Extracted

Family

redline

Botnet

maxa

C2

77.91.124.251:19065

Attributes
  • auth_value

    3c06ec6b3eea9db7536a57bcc13f5bef

Targets

    • Target

      6c446eb6dba3bf84d2cb9ad311b10a2168c7dbbffeadbf0be04ca4a49b286e44

    • Size

      1.0MB

    • MD5

      a08062fac8d40c23d1cf65fffe88ab1e

    • SHA1

      6722f113f57b66981b43df98bab2d2e4c03ee3ae

    • SHA256

      6c446eb6dba3bf84d2cb9ad311b10a2168c7dbbffeadbf0be04ca4a49b286e44

    • SHA512

      50a081de498fbd19385e2730b254855fc3657dbdef9e3b0453a885a1947475c7e7e84688b87cc5ce1fe5e2157fd17bc046b9f5a5035d440e3146ee5ed0b36b38

    • SSDEEP

      24576:4yTU/XOLDa6gGTymCkb0uybnyqKrHOQ/6OdYNbof4:/TWabBRoZzKruQi2YZof

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks