Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a24eecf198fa982b1b31f389f637f2b336d2a1691aa6547fb01c20d6a553f741

  • Size

    1.0MB

  • Sample

    230526-3a4hcahh9y

  • MD5

    e614eeb8f38c51e9b2121ea29a233b8c

  • SHA1

    f2d118dd05105f823aea82c0a7e1e11518ec8566

  • SHA256

    a24eecf198fa982b1b31f389f637f2b336d2a1691aa6547fb01c20d6a553f741

  • SHA512

    2d2c5fd9440a58840d05b00c7de636aa036c43a9b566dcec6ac63eaa05ee710e01bd616b27e5c6294fe9e71154a036950b088e4e50325da787e27ec30191a00c

  • SSDEEP

    24576:eyuEA+BxVR0Wv9q+Dt91dTty1Ttk33S1dE+MU9MuV2NIERZWroBnv:tukzVRZjtzdT4gC1dE+MHY22ERZWroBn

Malware Config

Extracted

Family

redline

Botnet

lusa

C2

83.97.73.127:19062

Attributes
  • auth_value

    c9df946711e01c378b42221de692acbd

Extracted

Family

redline

Botnet

munder

C2

83.97.73.127:19062

Attributes
  • auth_value

    159bf350f6393f0d879c80a22059fba2

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Newday2

Mutex

BYUzsfcfTrDGdfgfGfnhhy6cerhcehrctRCRTHCr

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/7JZQMzKS

aes.plain

Targets

    • Target

      a24eecf198fa982b1b31f389f637f2b336d2a1691aa6547fb01c20d6a553f741

    • Size

      1.0MB

    • MD5

      e614eeb8f38c51e9b2121ea29a233b8c

    • SHA1

      f2d118dd05105f823aea82c0a7e1e11518ec8566

    • SHA256

      a24eecf198fa982b1b31f389f637f2b336d2a1691aa6547fb01c20d6a553f741

    • SHA512

      2d2c5fd9440a58840d05b00c7de636aa036c43a9b566dcec6ac63eaa05ee710e01bd616b27e5c6294fe9e71154a036950b088e4e50325da787e27ec30191a00c

    • SSDEEP

      24576:eyuEA+BxVR0Wv9q+Dt91dTty1Ttk33S1dE+MU9MuV2NIERZWroBnv:tukzVRZjtzdT4gC1dE+MHY22ERZWroBn

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Async RAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks