Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    formatter957.exe

  • Size

    1.0MB

  • Sample

    230521-xkt4rsef8t

  • MD5

    17cc2a645ede65f983a294ceeeb13198

  • SHA1

    edb2cc732904fcb7cd6e96726ad3344b87845083

  • SHA256

    4b7480329a21a3fa3ca7e9b4f897f0b5851088cc0578c4bcde9bb9403f0ff044

  • SHA512

    4d1370b1edc540b0585a06efbc1f5b5b08fdd944d2a29686dfb66b74dda89fae9681d82083d12782b107fa433171ef22aff5ddbc31c3ac97bb28652a2452b65b

  • SSDEEP

    24576:CyzQFbr9fuPESPJT1wxaR9QCHragboxBSv4K96O:pzQh9fuMSPpWER9Qezb+BxKc

Malware Config

Extracted

Family

redline

Botnet

diza

C2

185.161.248.37:4138

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Targets

    • Target

      formatter957.exe

    • Size

      1.0MB

    • MD5

      17cc2a645ede65f983a294ceeeb13198

    • SHA1

      edb2cc732904fcb7cd6e96726ad3344b87845083

    • SHA256

      4b7480329a21a3fa3ca7e9b4f897f0b5851088cc0578c4bcde9bb9403f0ff044

    • SHA512

      4d1370b1edc540b0585a06efbc1f5b5b08fdd944d2a29686dfb66b74dda89fae9681d82083d12782b107fa433171ef22aff5ddbc31c3ac97bb28652a2452b65b

    • SSDEEP

      24576:CyzQFbr9fuPESPJT1wxaR9QCHragboxBSv4K96O:pzQh9fuMSPpWER9Qezb+BxKc

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks