Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5532954fa666ddd5bc80e520666dabd6deb3f4aaa4a2f3b96359e06521aaf51c

  • Size

    1.0MB

  • Sample

    230525-syzh7aba55

  • MD5

    3f79b662f533ac5fcc06ececbc8a79e6

  • SHA1

    913173b6fd134136757ecb0123bc7f53e41546fd

  • SHA256

    5532954fa666ddd5bc80e520666dabd6deb3f4aaa4a2f3b96359e06521aaf51c

  • SHA512

    5a7234f15b2ebd85df1ad7f6158b21ca21806af16e75163af1c8e2a0d7715024520c6e381a4fe1ee293fae1e502d4a89554dc0a5d708d1d4edfe74b4797c95ef

  • SSDEEP

    24576:pyxMp5oOprGFQ8t7GDwsm+bWkW3ga5a/7wBB:carGFQ8taWx3n

Malware Config

Extracted

Family

redline

Botnet

lina

C2

83.97.73.122:19062

Attributes
  • auth_value

    13523aee5d194d7716b22eeab7de10ad

Extracted

Family

redline

Botnet

fash

C2

83.97.73.122:19062

Attributes
  • auth_value

    dd7165bcd22b0ed3df426d944e12f136

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Targets

    • Target

      5532954fa666ddd5bc80e520666dabd6deb3f4aaa4a2f3b96359e06521aaf51c

    • Size

      1.0MB

    • MD5

      3f79b662f533ac5fcc06ececbc8a79e6

    • SHA1

      913173b6fd134136757ecb0123bc7f53e41546fd

    • SHA256

      5532954fa666ddd5bc80e520666dabd6deb3f4aaa4a2f3b96359e06521aaf51c

    • SHA512

      5a7234f15b2ebd85df1ad7f6158b21ca21806af16e75163af1c8e2a0d7715024520c6e381a4fe1ee293fae1e502d4a89554dc0a5d708d1d4edfe74b4797c95ef

    • SSDEEP

      24576:pyxMp5oOprGFQ8t7GDwsm+bWkW3ga5a/7wBB:carGFQ8taWx3n

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks