Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    65bbde658f35ee5309fba7c441a027e3a9e0ccf8cbd88a73b7032d05f5bcbf7b

  • Size

    1.0MB

  • Sample

    230523-ma3ytaff81

  • MD5

    f9ea60833a1c22dbbf74f849a700c890

  • SHA1

    c58cda05ff0b0c79e46baff97ecc552f45a022e0

  • SHA256

    65bbde658f35ee5309fba7c441a027e3a9e0ccf8cbd88a73b7032d05f5bcbf7b

  • SHA512

    0d0cb3b00424fdfa6d0e02e7558b380b0da7d1278a8bb7b59ec0f1e7713aa7f7d51bbb6a91d52f29f38661b6750e286f8c9e549edceaef6be7597dc826752304

  • SSDEEP

    24576:ayAnT05P6/iv5qUfvij34Qx1gxIiNrN1rKraBYn6:hRPnTvi5x1Q71r+

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Targets

    • Target

      65bbde658f35ee5309fba7c441a027e3a9e0ccf8cbd88a73b7032d05f5bcbf7b

    • Size

      1.0MB

    • MD5

      f9ea60833a1c22dbbf74f849a700c890

    • SHA1

      c58cda05ff0b0c79e46baff97ecc552f45a022e0

    • SHA256

      65bbde658f35ee5309fba7c441a027e3a9e0ccf8cbd88a73b7032d05f5bcbf7b

    • SHA512

      0d0cb3b00424fdfa6d0e02e7558b380b0da7d1278a8bb7b59ec0f1e7713aa7f7d51bbb6a91d52f29f38661b6750e286f8c9e549edceaef6be7597dc826752304

    • SSDEEP

      24576:ayAnT05P6/iv5qUfvij34Qx1gxIiNrN1rKraBYn6:hRPnTvi5x1Q71r+

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks