Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5

  • Size

    1.0MB

  • Sample

    230525-qsrkaaba3s

  • MD5

    c9e4f65ed88d9bd1797d0f209bc9adcb

  • SHA1

    1d91ebd9cc2f0f41d92932739a9e4a7e1783e489

  • SHA256

    b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5

  • SHA512

    7f4e1579c06af9274d66312b8f54fca0e733eceaa646081e049dbef78bf95326225db4e253380532baedd5f0a7c1d80a6db756860d13b116b376735ec5be9b0c

  • SSDEEP

    24576:ryi067E+0g0pXpry90yflOVy1saTaqDPsB:eiMNyiqB37

Malware Config

Extracted

Family

redline

Botnet

lina

C2

83.97.73.122:19062

Attributes
  • auth_value

    13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

C2

83.97.73.122:19062

Attributes
  • auth_value

    dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Targets

    • Target

      b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5

    • Size

      1.0MB

    • MD5

      c9e4f65ed88d9bd1797d0f209bc9adcb

    • SHA1

      1d91ebd9cc2f0f41d92932739a9e4a7e1783e489

    • SHA256

      b7b010c8489e943e4c95dca4d0d55bc366fff450a7fcc0d1fd3d48c7ababebb5

    • SHA512

      7f4e1579c06af9274d66312b8f54fca0e733eceaa646081e049dbef78bf95326225db4e253380532baedd5f0a7c1d80a6db756860d13b116b376735ec5be9b0c

    • SSDEEP

      24576:ryi067E+0g0pXpry90yflOVy1saTaqDPsB:eiMNyiqB37

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks