Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6ebbdcfa8136b7333bf8fd99ca90886bcfc4e2ddf24b1e71b5d13375be07df73

  • Size

    1.0MB

  • Sample

    230520-yb6xmsed37

  • MD5

    521734f34bf6a50bfb015e55c3d6e4c1

  • SHA1

    ad8e995c56fdd6987ea2270fed82e5425b174f95

  • SHA256

    6ebbdcfa8136b7333bf8fd99ca90886bcfc4e2ddf24b1e71b5d13375be07df73

  • SHA512

    301f782084840ad7cea9f6a9a72d7b05dd327a9c38e3c852918d6a2b30433eda0c105631fe3456d7eca1d2ef78bff37daeb302cd203fb0ba144ccfb836fa58f1

  • SSDEEP

    24576:CyGYB7kWjO9begCpdqDrucaOUb6BPwg9ta:pGYB7y9agCTqPucHI4

Malware Config

Extracted

Family

redline

Botnet

daza

C2

77.91.124.251:19065

Attributes
  • auth_value

    0bd5963efefdd6409185423d5ca3439c

Targets

    • Target

      6ebbdcfa8136b7333bf8fd99ca90886bcfc4e2ddf24b1e71b5d13375be07df73

    • Size

      1.0MB

    • MD5

      521734f34bf6a50bfb015e55c3d6e4c1

    • SHA1

      ad8e995c56fdd6987ea2270fed82e5425b174f95

    • SHA256

      6ebbdcfa8136b7333bf8fd99ca90886bcfc4e2ddf24b1e71b5d13375be07df73

    • SHA512

      301f782084840ad7cea9f6a9a72d7b05dd327a9c38e3c852918d6a2b30433eda0c105631fe3456d7eca1d2ef78bff37daeb302cd203fb0ba144ccfb836fa58f1

    • SSDEEP

      24576:CyGYB7kWjO9begCpdqDrucaOUb6BPwg9ta:pGYB7y9agCTqPucHI4

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks