Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775
-
Size
1.0MB
-
Sample
230525-s3715aba75
-
MD5
b0ac4be3ad35a4d63a610235b9c1c745
-
SHA1
3e4f020d5f3daf08cb1a4486b2dd801363f0e560
-
SHA256
3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775
-
SHA512
48caa71d39c3b4380074ee2f115a7e22261d59d1d7c9410f149c1afecc73905b4c23527502b339ec6d66b59c16a5cc0402ab0af90120add7af1f30a78b9d6cbb
-
SSDEEP
24576:Byij5IkNz2AIY+CSeWDPAvO7CeNKPVFl+XLP5V:0QIn70SLIOvIVyj
Static task
static1
Behavioral task
behavioral1
Sample
3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
redline
lina
83.97.73.122:19062
-
auth_value
13523aee5d194d7716b22eeab7de10ad
Extracted
redline
fash
83.97.73.122:19062
-
auth_value
dd7165bcd22b0ed3df426d944e12f136
Extracted
gurcu
https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160
Extracted
redline
crypto
163.123.142.235:61068
Targets
-
-
Target
3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775
-
Size
1.0MB
-
MD5
b0ac4be3ad35a4d63a610235b9c1c745
-
SHA1
3e4f020d5f3daf08cb1a4486b2dd801363f0e560
-
SHA256
3dee4f24b15b8ddd995316aed99f4e4f2f98b6e66105410d543f0646b85aa775
-
SHA512
48caa71d39c3b4380074ee2f115a7e22261d59d1d7c9410f149c1afecc73905b4c23527502b339ec6d66b59c16a5cc0402ab0af90120add7af1f30a78b9d6cbb
-
SSDEEP
24576:Byij5IkNz2AIY+CSeWDPAvO7CeNKPVFl+XLP5V:0QIn70SLIOvIVyj
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-