Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    16e13e01d5462ac7c502cd94946ebded.bin

  • Size

    987KB

  • Sample

    230522-bf79yaga8w

  • MD5

    e9f65ddcabd986303f001297c1c2e054

  • SHA1

    d8cc1fd6c033ceb30887094e56caee1bcc5f62fa

  • SHA256

    440eecebe4cdae53d95b5a9331f2c298099ad3aa0af8b767db853610745b287e

  • SHA512

    a23001c65554aa8884aa46029c96c3be90b3e71cfdb236fecbd3212ac078dd9bcb1ac54e72cc0c41e74e188648d4a427a28ef7e837e9fc7fc4df56584f7e0067

  • SSDEEP

    24576:OovqPaFZWjldmT0dOkYS5qPl/xJ7tR7OvJHgG:OUea+jldmT0to57tR6tN

Malware Config

Extracted

Family

redline

Botnet

maxa

C2

77.91.124.251:19065

Attributes
  • auth_value

    3c06ec6b3eea9db7536a57bcc13f5bef

Targets

    • Target

      7df898f186e364daba1451db378cfc745d118360d79dd8570402246bb8935fa3.exe

    • Size

      1.0MB

    • MD5

      16e13e01d5462ac7c502cd94946ebded

    • SHA1

      6b88537c85f58b6518b6e9cb6f57d9be5e91277f

    • SHA256

      7df898f186e364daba1451db378cfc745d118360d79dd8570402246bb8935fa3

    • SHA512

      c6e935ffa152e0eaa2345d439a55f4e972ea2e21220de6bbca49a47f1bae2f560c8006b292d30952057423e0276ef423b3e9dbe11a6dd7a21d437609a4cb73bc

    • SSDEEP

      24576:ryZWercgdOPkqwLc9qUb9cQivncoT/yxR8kjqUY4gjarjflGF/:eZW1PkYqUb9cQiPcaYWkVZgmr7l

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks