Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    02410e6fd1ce79b4a77029c02f830cc366f67b3a80380592deb79358ef8a6b72

  • Size

    1.0MB

  • Sample

    230521-d72mksga76

  • MD5

    8bb3339f1ff22657317674e4a2007c85

  • SHA1

    df580508e351a663530b7fa8c1227fc190337899

  • SHA256

    02410e6fd1ce79b4a77029c02f830cc366f67b3a80380592deb79358ef8a6b72

  • SHA512

    03bde0f415bcf656954faac8bece4ddb0a2cdc5315ffa9124c353f683ee08b50fb7e00986a6c059752f6a5c6b6ec767db1817099fc444699dec6b641ba35d419

  • SSDEEP

    24576:QyTKzZdVVOWIKOypAO9bPt0YsO6l0vpxujZG3M:XOzZdTt9ztZ9rB4G

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      02410e6fd1ce79b4a77029c02f830cc366f67b3a80380592deb79358ef8a6b72

    • Size

      1.0MB

    • MD5

      8bb3339f1ff22657317674e4a2007c85

    • SHA1

      df580508e351a663530b7fa8c1227fc190337899

    • SHA256

      02410e6fd1ce79b4a77029c02f830cc366f67b3a80380592deb79358ef8a6b72

    • SHA512

      03bde0f415bcf656954faac8bece4ddb0a2cdc5315ffa9124c353f683ee08b50fb7e00986a6c059752f6a5c6b6ec767db1817099fc444699dec6b641ba35d419

    • SSDEEP

      24576:QyTKzZdVVOWIKOypAO9bPt0YsO6l0vpxujZG3M:XOzZdTt9ztZ9rB4G

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks