Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7b79e4e0f7b1a8047cde4d10b4f85afc167b35300fc2728fc3a829a10a956c2a

  • Size

    731KB

  • Sample

    230531-elca8sdb2s

  • MD5

    0b487ddb0a76d681670882caa7c02c7a

  • SHA1

    2cd1dbb28957ebfac544314474d31965aeffb6bf

  • SHA256

    7b79e4e0f7b1a8047cde4d10b4f85afc167b35300fc2728fc3a829a10a956c2a

  • SHA512

    f2ad23b670a5e18366af9164d3d8066902ff548291f7b7db8362bca0e044cb38f91c91574c37241ea376dae1a557597bbc0cc2491f750893e5397fe500ef24dd

  • SSDEEP

    12288:RMryy906AaIpBS71ALlwe0C/sVQbExWlbKNLHEnOR5RN28XMB5DtP6rbwiR2WXP3:XyLoa63svxubQHl/2BB5DHWt6W

Malware Config

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.127:19045

Attributes
  • auth_value

    ee896466545fedf9de5406175fb82de5

Extracted

Family

redline

Botnet

tinda

C2

83.97.73.127:19045

Attributes
  • auth_value

    88da3924455f4ba3a1b76cd03af918bb

Targets

    • Target

      7b79e4e0f7b1a8047cde4d10b4f85afc167b35300fc2728fc3a829a10a956c2a

    • Size

      731KB

    • MD5

      0b487ddb0a76d681670882caa7c02c7a

    • SHA1

      2cd1dbb28957ebfac544314474d31965aeffb6bf

    • SHA256

      7b79e4e0f7b1a8047cde4d10b4f85afc167b35300fc2728fc3a829a10a956c2a

    • SHA512

      f2ad23b670a5e18366af9164d3d8066902ff548291f7b7db8362bca0e044cb38f91c91574c37241ea376dae1a557597bbc0cc2491f750893e5397fe500ef24dd

    • SSDEEP

      12288:RMryy906AaIpBS71ALlwe0C/sVQbExWlbKNLHEnOR5RN28XMB5DtP6rbwiR2WXP3:XyLoa63svxubQHl/2BB5DHWt6W

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks